CKA Day 20 — SSL/TLS Explained Simply
Day 20 of the 40-day CKA course by Tech Tutorials with Piyush.
Core Synthesis
This lesson explains SSL/TLS from first principles — the cryptographic protocol that secures communication between a client (browser) and a server over the internet. While Day 20 sits inside the CKA course, the content is foundational networking knowledge that underpins every HTTPS connection, Kubernetes API server, and service mesh.
What Is SSL/TLS?
TLS (Transport Layer Security) is the modern successor to SSL (Secure Sockets Layer). Both provide:
- Encryption — Data is scrambled so only the intended recipient can read it
- Authentication — The client verifies the server’s identity via certificates
- Integrity — Data cannot be tampered with in transit without detection
Note: SSL 2.0 and 3.0 are deprecated and insecure. Modern systems use TLS 1.2 or TLS 1.3. The terms are still used interchangeably in conversation, but technically TLS is the correct protocol name. Source: CKA Day 20
The TLS Handshake (Simplified)
Before any application data flows, client and server perform a handshake to agree on encryption parameters and authenticate each other:
Client Server
│ │
│── ClientHello (supported cipher suites)──▶│
│ │
│◀── ServerHello (chosen cipher suite) ───│
│◀────────── Certificate (public key) ─────│
│ │
│─── Key exchange (encrypted pre-master)──▶│
│ │
│◀──────────── "ChangeCipherSpec" ─────────│
│ │
│─── Encrypted application data ──────────▶│
Key steps:
- ClientHello — Client proposes TLS version and supported cipher suites
- ServerHello + Certificate — Server picks a cipher suite and sends its X.509 certificate containing its public key
- Key Exchange — Client encrypts a pre-master secret with the server’s public key; both sides derive symmetric session keys
- Encrypted Session — All subsequent traffic uses fast symmetric encryption (AES)
Public Key vs Symmetric Key
| Aspect | Asymmetric (Public/Private) | Symmetric (Shared Secret) |
|---|---|---|
| Keys | Two: public (encrypt) and private (decrypt) | One: same key encrypts and decrypts |
| Speed | Slow (RSA/ECDSA operations) | Fast (AES/ ChaCha20 operations) |
| Use in TLS | Handshake only (authenticate & exchange) | Bulk data encryption for the session |
TLS uses asymmetric cryptography only to bootstrap the connection; once the shared secret is established, all data flows over symmetric encryption for performance.
Certificates and Certificate Authorities (CAs)
A TLS certificate is a digital document that binds a public key to an identity (domain name, organization). It is signed by a Certificate Authority (CA) — a trusted third party that vouches for the binding.
| Component | Role |
|---|---|
| Certificate | Contains public key, domain name, validity dates, issuer |
| Private Key | Kept secret on the server; used to decrypt the pre-master secret |
| CA | Signs certificates; browsers ship with a root CA trust store |
| Chain | Intermediate CAs bridge root CAs to end-entity certificates |
Certificate validation steps:
- Server presents its certificate + intermediate chain
- Client checks that the certificate is signed by a trusted CA (or intermediate)
- Client verifies the certificate has not expired
- Client confirms the certificate’s Subject/SAN matches the requested hostname
- Client checks the certificate has not been revoked (CRL/OCSP)
Self-Signed Certificates
A self-signed certificate is signed by its own private key rather than a public CA. Useful for:
- Internal services and development environments
- Kubernetes API server bootstrap (before cluster CA is established)
- Private PKI where you control the trust store
Warning: Browsers reject self-signed certificates by default because they cannot verify trust. You must add the self-signed CA to the client trust store for it to work.
TLS in Kubernetes
TLS appears throughout the Kubernetes architecture:
| Component | TLS Usage |
|---|---|
| kube-apiserver | HTTPS (port 6443) with client certificate authentication |
| etcd | Peer-to-peer TLS between etcd nodes; client TLS for API server |
| kubelet | Client certificates for authenticating to the API server |
| Ingress / Service Mesh | TLS termination at the edge (cert-manager, Let’s Encrypt) |
Secret type kubernetes.io/tls | Native Kubernetes object for storing cert + key pairs |
Common TLS Versions and Best Practices
| Version | Status | Recommendation |
|---|---|---|
| SSL 2.0 / 3.0 | Deprecated, insecure | Never use |
| TLS 1.0 / 1.1 | Deprecated | Disable in production |
| TLS 1.2 | Widely supported | Minimum acceptable |
| TLS 1.3 | Latest (faster handshake, fewer cipher suites) | Prefer when supported |
CKA Exam Relevance
While the CKA exam does not require deep TLS mathematics, you must understand:
- How certificates authenticate the API server and kubelets
- Where private keys and certificates live (
/etc/kubernetes/pki/) - How to check certificate expiry (
openssl x509 -in cert.pem -text -noout) - That
kubernetes.io/tlsSecrets hold certificate + key pairs for Ingress and services
See Also
Wiki Concepts
- TLS Fundamentals — Deep-dive page with handshake detail, certificate anatomy, cipher suites, and Kubernetes-specific TLS patterns
- Kubernetes Architecture — API server, etcd, and kubelet TLS communication
- Kubernetes ConfigMaps and Secrets —
kubernetes.io/tlsSecret type for storing certificates - Sidecar Pattern — TLS termination sidecars (Envoy, nginx, Istio)
- Kubernetes Health Probes — HTTPS liveness/readiness probes
- Client-Server Architecture — HTTPS as the secured application layer protocol
- Zero Trust Access — mTLS and identity-aware security
- Security Index — Broader security domain overview
- CKA Certification — Exam structure where TLS appears in Architecture domain
- CKA Study Roadmap — 40-day plan: Day 20 covers SSL/TLS fundamentals
Related Sources
- CKA Day 19 — Kubernetes ConfigMap and Secret Explained — Preceding day in the series
Creator / Entity
- Tech Tutorials with Piyush — Creator of the 40-day CKA course
Tags: cka kubernetes ssl tls security networking certificates encryption devops