CKA Day 20 — SSL/TLS Explained Simply

Day 20 of the 40-day CKA course by Tech Tutorials with Piyush.

Core Synthesis

This lesson explains SSL/TLS from first principles — the cryptographic protocol that secures communication between a client (browser) and a server over the internet. While Day 20 sits inside the CKA course, the content is foundational networking knowledge that underpins every HTTPS connection, Kubernetes API server, and service mesh.

What Is SSL/TLS?

TLS (Transport Layer Security) is the modern successor to SSL (Secure Sockets Layer). Both provide:

  1. Encryption — Data is scrambled so only the intended recipient can read it
  2. Authentication — The client verifies the server’s identity via certificates
  3. Integrity — Data cannot be tampered with in transit without detection

Note: SSL 2.0 and 3.0 are deprecated and insecure. Modern systems use TLS 1.2 or TLS 1.3. The terms are still used interchangeably in conversation, but technically TLS is the correct protocol name. Source: CKA Day 20

The TLS Handshake (Simplified)

Before any application data flows, client and server perform a handshake to agree on encryption parameters and authenticate each other:

Client                                    Server
   │                                         │
   │── ClientHello (supported cipher suites)──▶│
   │                                         │
   │◀── ServerHello (chosen cipher suite) ───│
   │◀────────── Certificate (public key) ─────│
   │                                         │
   │─── Key exchange (encrypted pre-master)──▶│
   │                                         │
   │◀──────────── "ChangeCipherSpec" ─────────│
   │                                         │
   │─── Encrypted application data ──────────▶│

Key steps:

  1. ClientHello — Client proposes TLS version and supported cipher suites
  2. ServerHello + Certificate — Server picks a cipher suite and sends its X.509 certificate containing its public key
  3. Key Exchange — Client encrypts a pre-master secret with the server’s public key; both sides derive symmetric session keys
  4. Encrypted Session — All subsequent traffic uses fast symmetric encryption (AES)

Public Key vs Symmetric Key

AspectAsymmetric (Public/Private)Symmetric (Shared Secret)
KeysTwo: public (encrypt) and private (decrypt)One: same key encrypts and decrypts
SpeedSlow (RSA/ECDSA operations)Fast (AES/ ChaCha20 operations)
Use in TLSHandshake only (authenticate & exchange)Bulk data encryption for the session

TLS uses asymmetric cryptography only to bootstrap the connection; once the shared secret is established, all data flows over symmetric encryption for performance.

Certificates and Certificate Authorities (CAs)

A TLS certificate is a digital document that binds a public key to an identity (domain name, organization). It is signed by a Certificate Authority (CA) — a trusted third party that vouches for the binding.

ComponentRole
CertificateContains public key, domain name, validity dates, issuer
Private KeyKept secret on the server; used to decrypt the pre-master secret
CASigns certificates; browsers ship with a root CA trust store
ChainIntermediate CAs bridge root CAs to end-entity certificates

Certificate validation steps:

  1. Server presents its certificate + intermediate chain
  2. Client checks that the certificate is signed by a trusted CA (or intermediate)
  3. Client verifies the certificate has not expired
  4. Client confirms the certificate’s Subject/SAN matches the requested hostname
  5. Client checks the certificate has not been revoked (CRL/OCSP)

Self-Signed Certificates

A self-signed certificate is signed by its own private key rather than a public CA. Useful for:

  • Internal services and development environments
  • Kubernetes API server bootstrap (before cluster CA is established)
  • Private PKI where you control the trust store

Warning: Browsers reject self-signed certificates by default because they cannot verify trust. You must add the self-signed CA to the client trust store for it to work.

TLS in Kubernetes

TLS appears throughout the Kubernetes architecture:

ComponentTLS Usage
kube-apiserverHTTPS (port 6443) with client certificate authentication
etcdPeer-to-peer TLS between etcd nodes; client TLS for API server
kubeletClient certificates for authenticating to the API server
Ingress / Service MeshTLS termination at the edge (cert-manager, Let’s Encrypt)
Secret type kubernetes.io/tlsNative Kubernetes object for storing cert + key pairs

Common TLS Versions and Best Practices

VersionStatusRecommendation
SSL 2.0 / 3.0Deprecated, insecureNever use
TLS 1.0 / 1.1DeprecatedDisable in production
TLS 1.2Widely supportedMinimum acceptable
TLS 1.3Latest (faster handshake, fewer cipher suites)Prefer when supported

CKA Exam Relevance

While the CKA exam does not require deep TLS mathematics, you must understand:

  • How certificates authenticate the API server and kubelets
  • Where private keys and certificates live (/etc/kubernetes/pki/)
  • How to check certificate expiry (openssl x509 -in cert.pem -text -noout)
  • That kubernetes.io/tls Secrets hold certificate + key pairs for Ingress and services

See Also

Wiki Concepts

Creator / Entity


Tags: cka kubernetes ssl tls security networking certificates encryption devops