Skip to content

6.07 Kubernetes Certificates API

🎯 Why Certificates API?

Manual process does not scale:

  • Admin signs CSRs manually using CA key
  • Shares signed certificate
  • Repeats for renewal

Kubernetes Certificates API allows:

  • Submit CSR objects
  • Review requests
  • Approve or deny
  • Automatically sign certificates
  • Rotate certificates

🔐 Where is the CA?

CA consists of:

  • ca.crt
  • ca.key

In kubeadm clusters:

/etc/kubernetes/pki/

Danger

Anyone with access to ca.key can generate cluster admins. Restrict permissions to 600 and limit access.

🧩 Certificates API Flow

openssl genrsa -out jane.key 2048
openssl req -new -key jane.key -subj "/CN=jane" -out jane.csr

cat jane.csr | base64 | tr -d '\n'

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: jane-csr
spec:
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 600
  usages:
    - client auth
  request: <BASE64_ENCODED_CSR>

kubectl apply -f jane-csr.yaml

kubectl get csr

kubectl certificate approve jane-csr

📜 Extract Signed Certificate

kubectl get csr jane-csr -o yaml

Locate:

status:
  certificate: <BASE64_DATA>

Decode:

echo "<BASE64_DATA>" | base64 --decode > jane.crt

User now has:

  • jane.key
  • jane.crt

⚙ Who Signs the Certificate?

The kube-controller-manager performs:

  • CSR Approving Controller
  • CSR Signing Controller

It requires:

--cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
--cluster-signing-key-file=/etc/kubernetes/pki/ca.key

Warning

If these flags are missing or incorrect, CSRs remain Pending.

🔎 Important CSR Fields

Field Purpose
signerName Certificate type
expirationSeconds Validity duration
usages client auth / server auth
request Base64 CSR data

Common signerNames:

  • kubernetes.io/kube-apiserver-client
  • kubernetes.io/kubelet-serving
  • kubernetes.io/kube-apiserver-client-kubelet

🛡 Production Best Practices

✅ DO

Success

  • Use Certificates API instead of manual signing
  • Restrict CSR approval via RBAC
  • Monitor CSR creation and approvals
  • Use short-lived certificates
  • Enable kubelet certificate rotation
  • Audit CSR approvals regularly

❌ DON'T

Danger

  • Do NOT auto-approve all CSRs blindly
  • Do NOT expose CA private key
  • Do NOT grant CSR approve to regular users
  • Do NOT ignore Pending CSRs
  • Do NOT use long-lived certificates unnecessarily

🚨 Common Production Issues

Issue Cause
CSR stuck Pending No approval
Approved but no cert Controller misconfigured
TLS handshake failure Wrong signerName
Privilege escalation Weak CSR RBAC control

🔄 Certificate Rotation

Certificates expire.

Use:

kubeadm cert renew

Or enable automatic kubelet rotation.

Tip

Monitor expiry dates and alert before 30 days.

🎯 Summary

  • Certificates API automates certificate lifecycle
  • CSR objects replace manual CA signing
  • Controller Manager signs certificates
  • Protect CA private key
  • Control approvals with RBAC
  • Monitor and rotate proactively

Quote

Certificates API enables scalable certificate management — but requires strict approval governance.