CKA Day 21 — Manage TLS Certificates In a Kubernetes Cluster
Day 21 of the 40-day CKA course by Tech Tutorials with Piyush.
Core Synthesis
This lesson applies Day 20’s SSL/TLS theory to the Kubernetes control plane. It covers the practical mechanics of creating, signing, and using TLS certificates inside a cluster — a guaranteed topic on the CKA exam’s Cluster Architecture domain (~25%).
Kubernetes PKI Overview
A Kubernetes cluster maintains its own internal PKI. When you bootstrap with kubeadm, it auto-generates a certificate authority and issues certificates for every control plane component. The default location is /etc/kubernetes/pki/.
| File | Purpose |
|---|---|
ca.crt / ca.key | Cluster root CA — signs all other certificates |
apiserver.crt / apiserver.key | API server serving certificate (HTTPS on 6443) |
apiserver-kubelet-client.crt / .key | API server client cert for kubelet communication |
etcd/ca.crt / etcd/ca.key | etcd’s separate CA |
etcd/server.crt / .key | etcd server serving certificate |
front-proxy-ca.crt / .key | CA for front-proxy (aggregator layer) |
sa.pub / sa.key | Service account token signing key pair |
Exam Tip: If
apiserver.crtexpires, the entire cluster API becomes unreachable. Know how to check expiry withopenssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates. Source: CKA Day 21
The Certificate Signing Request (CSR) Resource
Kubernetes has a native CSR API object (certificates.k8s.io/v1) that allows users or systems to request certificates from the cluster CA.
Why use CSRs?
- Granting authenticated access to new users without sharing the CA private key
- Issuing client certificates for
kubectlusers - Automating certificate issuance for custom controllers or admission webhooks
The CSR lifecycle:
- User creates a private key and CSR (PKCS#10)
- User base64-encodes the CSR and creates a Kubernetes
CertificateSigningRequestobject - Admin (or automated approver) reviews and approves the CSR:
kubectl certificate approve <name> - Kubernetes controller signs the CSR with the cluster CA and stores the certificate in the CSR object’s
status.certificate - User extracts the signed certificate from the CSR object
Creating a CSR Manually (CKA Pattern)
# 1. Generate a private key
openssl genrsa -out user.key 2048
# 2. Create a CSR
openssl req -new -key user.key -out user.csr -subj "/CN=developer/O=engineering"
# 3. Base64 encode the CSR
cat user.csr | base64 | tr -d '\n'
# 4. Create the Kubernetes CSR object
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: developer-csr
spec:
request: <base64-encoded-csr>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
expirationSeconds: 86400 # 1 day
EOF
# 5. Approve
kubectl certificate approve developer-csr
# 6. Extract the signed certificate
kubectl get csr developer-csr -o jsonpath='{.status.certificate}' | base64 -d > user.crtSigner Names
Kubernetes 1.19+ requires an explicit signerName in the CSR spec:
| Signer Name | Purpose |
|---|---|
kubernetes.io/kube-apiserver-client | Client certificates for API server authentication |
kubernetes.io/kube-apiserver-client-kubelet | Kubelet client certificates |
kubernetes.io/kubelet-serving | Kubelet serving certificates |
kubernetes.io/legacy-unknown | Legacy; avoid in production |
Certificate Expiry and Renewal
** kubeadm-managed clusters:**
# Check all certificate expiry dates
kubeadm certs check-expiration
# Renew all certificates
kubeadm certs renew all
# Restart static pods to pick up new certs
# (kubelet will recreate them from /etc/kubernetes/manifests)Important: Renewing API server or etcd certs requires restarting the corresponding static Pod so it loads the new certificate files. Simply running
kubeadm certs renewupdates the files on disk, but the running process caches the old cert in memory.
TLS Secrets Revisited
After obtaining a signed certificate, store it in a kubernetes.io/tls Secret for use by Ingress controllers, webhooks, or applications:
kubectl create secret tls my-tls-secret \
--cert=user.crt \
--key=user.keyCKA Exam Relevance
- Create a CSR object from a base64-encoded CSR PEM block
- Approve a CSR with
kubectl certificate approve - Extract the signed certificate from the CSR status
- Check certificate expiry with
opensslorkubeadm certs check-expiration - Renew certificates with
kubeadm certs renewand know to restart static pods - Troubleshoot
Unauthorizederrors caused by expired client or server certificates
See Also
Wiki Concepts
- TLS Fundamentals — Deep-dive page updated with Kubernetes Certificate Management section covering CSRs, signer names, kubeadm PKI paths, and certificate renewal
- Kubernetes Architecture — Control plane TLS communication and PKI file locations
- Kubernetes ConfigMaps and Secrets —
kubernetes.io/tlsSecret type for storing signed certificates - Kubernetes Static Pods — Control plane components run as Static Pods that must restart to load renewed certs
- CKA Certification — Exam structure where certificate management appears in Cluster Architecture domain
- CKA Study Roadmap — 40-day plan: Day 21 covers K8s TLS certificate management
Related Sources
- TLS Explained Simply — Preceding day covering TLS theory
- CKA Day 19 — Kubernetes ConfigMap and Secret Explained — TLS Secret type context
Creator / Entity
- Tech Tutorials with Piyush — Creator of the 40-day CKA course
Tags: cka kubernetes tls certificate csr pki security kubeadm devops