• Needed to gurantee trust between two parties

  • Public Key : .pem, .crt

  • Private Keys : .key, -key.pem

  • Server should have server certificates

  • Client should have client certificates

  • Every compnent in K8s has a certificate & key it uses.

  • Certificate Authority (CA) has their own certificate (ca.cert) & key(ca.key)

  • We use CA certs to sign new certificates on creation

  • All certificate related operations are carried out by controller manager

Certificate Creation

  • To generate certificates there are different tools [EasyPRSA, OpenSSL, CFSSL]

  • We will use OpenSSL

  • CA Certificates:

    • Generate:

      openssl genrsa -out ca.key 2048
    • Certificate Signing:

      openssl req -new -key ca.key  -subj "/CN=KUBERNETES-CA" -out ca.casr
    • Sign Certificates

      openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
  • Admin User:

    • Generate:

      openssl genrsa -out admin.key 2048
    • Ceritificate Signing Request:

      openssl req -new -key admin.key -subj "/CN=kube-admin/O=system:masters" -out admin.csr
    • Sign Certificates

      openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt
  • ETCD server needs additional certificates for its own communicate called as peer certificates

  • kubeapisever includes and has etcd certificates, kubelet certificates, ca certificates, tls certificate.

  • kubelet certificte is named after its node name.

View Certificates

openssl x509 -in /etc/kubernetes/pki apiserver.crt -text -noout

TLS Certificate API

  • You can see certificate requests

    kubectl get csr
  • kubectl certificate approve <name>
  • kubectl get csr <name> -o yaml
  • cat <name>.csr | base64 | tr -d '\n' OR
    cat <name>.csr | base64 -w 0
  • kubectl delete csr <name>
  • kubectl certificate deny <name>


  • We need authentication while using kubectl. But passing certificate with every command is not a good task

  • So, we save these certificate flags --flags=name.key inside kubeconfig file

  • Context can be defined as user@cluster

  • Default context is stored in current-context (Under kind)

  • kubectl conig use-context <context-name>
  • kube conig view --kubeconfig /path/

Kubernetes API Groups

/metrics, /healthz, /version, /logs, /apis

Last updated