Kubernetes TLS

TLS is the cryptographic protocol that powers encryption for many network applications. To use Kubernetes TLS, you need certificates. TLS certificates are fundamental to standing up a Kubernetes cluster and for interacting with/within the cluster. Given this reliance on certificates, we are often asked for advice on how to “do certificates in Kubernetes”.

"Doing certificates in Kubernetes" can mean a lot of things!

Here’s a hit list of places where you can use TLS certificates:

  • Kubernetes Ingresses / ingress controllers
  • Containers (the application in a container needs a cert)
  • Service mesh
  • kubernetes.io/tls secrets
  • The Kubernetes datastore (eg. etcd)
  • Kubernetes Nodes and other components
  • Admission Controllers
  • Users and Kubernetes API Server connections

At Smallstep, we’ve thought deeply about these cases and have created a series of articles to help you on your journey toward Kubernetes TLS.

It all starts with a question - “What are you looking to achieve?”

  1. I want to securely expose Kubernetes services outside my cluster.
  2. I want to get a cert for a service running in a container or pod.
  3. I am bringing up a cluster and I need certs to secure Kubernetes itself.

Kubernetes can be a complex beast. There's a lot of concepts to learn and practice before one knows what they’re doing. It can become even more difficult to secure Kubernetes while wrangling the other moving pieces of your cluster. Regardless of the network hierarchy and policies in place, automating security by design will always make your cluster’s workload safer and more reliable.

Using Certificate Manager alongside some of Smallstep’s open-source projects, it suddenly becomes simple to automate certificate issuance into a Kubernetes deployment. All you need is a little bit of YAML and a working cluster to start issuing Kubernetes TLS certificates to your microservices, and stop bad actors in their tracks. Simple and straightforward tooling can make the difference between an exposed microservice, and one that is secure by design.