CKS Notes - TLS

TLS

# generate TLS cert and key
openssl command [ options ... ] [ parameters ... ]

1. TLS config files

About TLS we will mainly focus on 3 levels/types encryption in this article.

1. inside cluster communication (/etc/kubernetes/pki/*)

2. client (kubectl) communicate with apiserver(~/.kube/config)

3. application level communication (TLS Secrets)

1.1 PKI files

PKI files in /etc/kubernetes/pki/ secure:

• kubelet ↔ apiserver (mTLS)

• scheduler ↔ apiserver

• controller-manager ↔ apiserver

• apiserver ↔ etcd

• (in some setups) kube-proxy ↔ apiserver

These ensure control-plane communication is always encrypted and authenticated.

1.2 Kubectl using TLS

~/.kube/config stores:

• the API server URL (HTTPS)

• the CA certificate

• user’s client certificate/key

This ensures:

• kubectl connects to apiserver using TLS

• apiserver knows which user is calling

1.3 Application level (TLS Secrets)

Stored inside Kubernetes as:

apiVersion: v1
kind: Secret
metadata:
  name: testsecret-tls
  namespace: default
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
type: kubernetes.io/tls

Used by:

• Ingress controllers (public HTTPS)

• Gateways (Istio)

These certificates belong to applications, not Kubernetes.

1.3.1 TLS Secret and usage

kubectl create secret tls <NAME> --cert=/PATH/TP/<CERT> --key=/PATH/TO/<KEY>

and the Ingress use it

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example-ingress
spec:
  tls:
  - hosts:
      - https-example.foo.com
    secretName: testsecret-tls
  rules:
    ...

and then we can use curl to verify

curl -kv https://...

more details check official doc

• TLS Secrets

• Ingress use TLS

and more details about the secrets, can also check previous blog

• Kubernetes Secret (1)

• Kubernetes Secret (2)

2. TLS Flags

TLS flags apply to the server's accepted TLS standards, and the type of certificate (kubeconfig cert, PKI cert, bootstrap cert) doesn’t matter, as long as the TLS connection follows the rules.

ALL these must use:

• allowed TLS version

• allowed cipher suites

• supported handshake parameters

2.1 TLS Flags of apiserver

apiserver is a TLS server and TLS flags define what ALL clients must follow.

Clients include:

• kubectl → apiserver

• kubelet → apiserver

• controller-manager → apiserver

• scheduler → apiserver

• operators → apiserver

Example:

--tls-min-version=VersionTLS13
--tls-cipher-suites=TLS_AES_128_GCM_SHA256

2.2 TLS Flags of etcd

Example:

--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

These apply to:

Clients connecting to etcd:

• kube-apiserver

• etcdctl (if used)

• backup/restore tools

• any etcd peer connections

Reference

The exact flags can refer to the k8s (kube-apiserver) and etcd (security) official docs.