CKA Day 21 — Manage TLS Certificates In a Kubernetes Cluster

Day 21 of the 40-day CKA course by Tech Tutorials with Piyush.

Core Synthesis

This lesson applies Day 20’s SSL/TLS theory to the Kubernetes control plane. It covers the practical mechanics of creating, signing, and using TLS certificates inside a cluster — a guaranteed topic on the CKA exam’s Cluster Architecture domain (~25%).

Kubernetes PKI Overview

A Kubernetes cluster maintains its own internal PKI. When you bootstrap with kubeadm, it auto-generates a certificate authority and issues certificates for every control plane component. The default location is /etc/kubernetes/pki/.

FilePurpose
ca.crt / ca.keyCluster root CA — signs all other certificates
apiserver.crt / apiserver.keyAPI server serving certificate (HTTPS on 6443)
apiserver-kubelet-client.crt / .keyAPI server client cert for kubelet communication
etcd/ca.crt / etcd/ca.keyetcd’s separate CA
etcd/server.crt / .keyetcd server serving certificate
front-proxy-ca.crt / .keyCA for front-proxy (aggregator layer)
sa.pub / sa.keyService account token signing key pair

Exam Tip: If apiserver.crt expires, the entire cluster API becomes unreachable. Know how to check expiry with openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates. Source: CKA Day 21

The Certificate Signing Request (CSR) Resource

Kubernetes has a native CSR API object (certificates.k8s.io/v1) that allows users or systems to request certificates from the cluster CA.

Why use CSRs?

  • Granting authenticated access to new users without sharing the CA private key
  • Issuing client certificates for kubectl users
  • Automating certificate issuance for custom controllers or admission webhooks

The CSR lifecycle:

  1. User creates a private key and CSR (PKCS#10)
  2. User base64-encodes the CSR and creates a Kubernetes CertificateSigningRequest object
  3. Admin (or automated approver) reviews and approves the CSR: kubectl certificate approve <name>
  4. Kubernetes controller signs the CSR with the cluster CA and stores the certificate in the CSR object’s status.certificate
  5. User extracts the signed certificate from the CSR object

Creating a CSR Manually (CKA Pattern)

# 1. Generate a private key
openssl genrsa -out user.key 2048
 
# 2. Create a CSR
openssl req -new -key user.key -out user.csr -subj "/CN=developer/O=engineering"
 
# 3. Base64 encode the CSR
cat user.csr | base64 | tr -d '\n'
 
# 4. Create the Kubernetes CSR object
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: developer-csr
spec:
  request: <base64-encoded-csr>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
  expirationSeconds: 86400  # 1 day
EOF
 
# 5. Approve
kubectl certificate approve developer-csr
 
# 6. Extract the signed certificate
kubectl get csr developer-csr -o jsonpath='{.status.certificate}' | base64 -d > user.crt

Signer Names

Kubernetes 1.19+ requires an explicit signerName in the CSR spec:

Signer NamePurpose
kubernetes.io/kube-apiserver-clientClient certificates for API server authentication
kubernetes.io/kube-apiserver-client-kubeletKubelet client certificates
kubernetes.io/kubelet-servingKubelet serving certificates
kubernetes.io/legacy-unknownLegacy; avoid in production

Certificate Expiry and Renewal

** kubeadm-managed clusters:**

# Check all certificate expiry dates
kubeadm certs check-expiration
 
# Renew all certificates
kubeadm certs renew all
 
# Restart static pods to pick up new certs
# (kubelet will recreate them from /etc/kubernetes/manifests)

Important: Renewing API server or etcd certs requires restarting the corresponding static Pod so it loads the new certificate files. Simply running kubeadm certs renew updates the files on disk, but the running process caches the old cert in memory.

TLS Secrets Revisited

After obtaining a signed certificate, store it in a kubernetes.io/tls Secret for use by Ingress controllers, webhooks, or applications:

kubectl create secret tls my-tls-secret \
  --cert=user.crt \
  --key=user.key

CKA Exam Relevance

  • Create a CSR object from a base64-encoded CSR PEM block
  • Approve a CSR with kubectl certificate approve
  • Extract the signed certificate from the CSR status
  • Check certificate expiry with openssl or kubeadm certs check-expiration
  • Renew certificates with kubeadm certs renew and know to restart static pods
  • Troubleshoot Unauthorized errors caused by expired client or server certificates

See Also

Wiki Concepts

  • TLS Fundamentals — Deep-dive page updated with Kubernetes Certificate Management section covering CSRs, signer names, kubeadm PKI paths, and certificate renewal
  • Kubernetes Architecture — Control plane TLS communication and PKI file locations
  • Kubernetes ConfigMaps and Secretskubernetes.io/tls Secret type for storing signed certificates
  • Kubernetes Static Pods — Control plane components run as Static Pods that must restart to load renewed certs
  • CKA Certification — Exam structure where certificate management appears in Cluster Architecture domain
  • CKA Study Roadmap — 40-day plan: Day 21 covers K8s TLS certificate management

Creator / Entity


Tags: cka kubernetes tls certificate csr pki security kubeadm devops