smallstep_full_white

Kubernetes Install TLS

Kubernetes is a distributed system, and it uses TLS certificates extensively for connecting components. When following Kelsey Hightower’s popular Kubernetes the Hard Way instructions you will be guided to use cfssl for generating one-year certs for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy. Issuing certificates to all of these components and keeping them renewed is one of the hardest parts of running k8s yourself.

Beyond certificates for the components, you will need to secure the API server and any Admission Controllers. The API Server is the API you connect to in order to push pods and whatnot. This API uses TLS and needs a certificate.

Our Recommendation

We think issuing a one-year certificate and moving on is setting you up for pain 365 days later. So much so, that we blogged about a better way and created a pull request to Hightower's repo. You should certainly check it out if you are building a Kubernetes cluster from scratch.

Extra Credit: Admission Controllers

An Admission Controller is a plugin that can intercept calls to the Kubernetes API server and modify the request or reject it altogether. For example, the autocert project also uses a mutating Admission Controller to inject a secret into the Pod-spec during Pod creation. Admission Controllers are invoked via Webhook and will only connect over TLS.

When you create an Admission Controller Resource with the API Server, you tell the API Server rules for when to invoke your Admission Controller (e.g., on pod create) and you specify a CA Bundle that the API Server should use as the root of trust when it connects to your Admission Controllers. In short, Admission Controllers must use TLS, so they need certs.

The right way to deliver a certificate to an Admission Controller is a little hard to answer broadly, since Admission Controllers are just HTTPS endpoints, which means they can run anywhere and be implemented however you'd like. That said, it's very common to run an Admission Controller as a pod in the cluster itself. So in this scenario, delivering a TLS certificate to an Admission Controller is the same as delivering a certificate to any other container.