Cluster Architecture

Certificates

PKI certificates, certificate signing requests, checking expiration, and renewal.

Overview

  • Kubernetes uses PKI (Public Key Infrastructure) for authentication between components
  • All cluster certificates are stored in /etc/kubernetes/pki/ on control plane nodes
  • Key certificate pairs:
CertificatePurpose
ca.crt / ca.keyCluster CA — signs all other certificates
apiserver.crtAPI server serving certificate
apiserver-kubelet-client.crtAPI server → kubelet authentication
etcd/ca.crtetcd CA (separate from cluster CA)
front-proxy-ca.crtFront proxy CA for aggregation layer
  • kubeadm generates all certificates automatically during kubeadm init

Certificate Signing Requests (CSR)

Docs: K8s Docs - CSRs

Create a certificate for a new user

Step 1 — Generate a private key and CSR with openssl

# generate a private key
openssl genrsa -out jane.key 2048

# create a certificate signing request
openssl req -new -key jane.key -subj "/CN=jane/O=developers" -out jane.csr
  • CN (Common Name) becomes the username
  • O (Organization) becomes the group

Step 2 — Create a CertificateSigningRequest object

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: jane
spec:
  request: <base64-encoded-csr>        # cat jane.csr | base64 | tr -d '\n'
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - client auth

# encode the CSR and create the object
CSR=$(cat jane.csr | base64 | tr -d '\n')
cat <| kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: jane
spec:
  request: $CSR
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - client auth
EOF

Step 3 — Approve (or deny) the CSR

kubectl certificate approve jane
# or
kubectl certificate deny jane

Step 4 — Extract the signed certificate

kubectl get csr jane -o jsonpath='{.status.certificate}' | base64 -d > jane.crt

Step 5 — Use the certificate

# set credentials in kubeconfig
kubectl config set-credentials jane --client-key=jane.key --client-certificate=jane.crt

# set context
kubectl config set-context jane-ctx --cluster=kubernetes --user=jane

# use the context
kubectl config use-context jane-ctx

Checking Certificate Expiration

# check expiration of all kubeadm-managed certificates
kubeadm certs check-expiration

# inspect a specific certificate with openssl
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep -A2 Validity
  • kubeadm certificates are valid for 1 year by default
  • The cluster CA is valid for 10 years

Renewing Certificates

# renew all kubeadm-managed certificates
kubeadm certs renew all

# renew a specific certificate
kubeadm certs renew apiserver

# restart control plane components after renewal
# (kubeadm static pods pick up new certs on restart)
crictl pods --name 'kube-apiserver-*' -q | xargs crictl rmp
  • Running kubeadm upgrade automatically renews certificates
  • Renew certificates before they expire to avoid cluster outage

Useful Commands

# list all CSRs
kubectl get csr

# describe a CSR
kubectl describe csr <name>

# approve/deny a CSR
kubectl certificate approve <name>
kubectl certificate deny <name>

# delete a CSR
kubectl delete csr <name>

# check certificate expiration
kubeadm certs check-expiration

# renew all certificates
kubeadm certs renew all

# view certificate details
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout