Good presentation, useful info for my deeper understanding of how certs work in k8s! Thx!

Thank you so much for this video. Good efforts!

Thanks for this very insightful

One of the best videos abt certificate

These certs are self-signed. In baremetal kubernetes cluster, how do we manage these certs. Usually, in PROD, do we replace the certs by getting them from security team? Please explain on how we renew them or manage them in realtime PROD scenario. From where do we get the certs and do we replace ca.crt and ca.key and all the certs for different components etc... My understanding is that we dont use self-signed certs for PROD environment. Hope, you got my query. Thanks!

Thank you so much. This is all about Kubernetes certificates :)

I'm bit confused with clients private key. For example when and how will admins(kubectl) private key be used? Isnt it only the client certificate that is required for the server side?

From Viet Nam. Thanks

the way you created the kube-apiserver cert is wrong cause the alternate dns names were not defined, it does work partially in a k8s cluster

Thanks.. Very good explanation ... Just have one question, How api-server validate the certificate sent by admin user ? Does he has the Admin certificate installed ?

Really liked the concept, thanks for the detailed information provided. One question, if the api-server cert is expired , do we need to generate a new api-server.key and new csr or we sign the same csr with the ca.key and ca.crt?

Hi Can you guide me,my cluster ca.crt is going to expire in 2days, how should I renew the ca.crt in running cluster.

Does a pod or container on the worker node also recieve a certificate? How can the communication with the applications in them or the pods/containers themselves take place in a secure manner?

You didn't really explain, are you on filesystem of master node or ?

Bro super teaching

Hi can you please help me where I can find ca.key inside the eks cluster 1.26

Hello, we have a single box K8S cluster and i see cert is expired as i am getting 509x error while get pods. So how do i renew them, also as i am unable to connect to cluster or get pots etc..... do i need to take backup of pods or any config ? if yes how to see them and what configs should i take backup. i know bit of k8s but the team who managed this cluster, are not supporting anymore. could me help me in this regard's - suggesting any links

Hi I want to replace my ca.crt and I don't have .key file for it as it a corporate certificate how can I create other certs using this cert and i have already deployed cluster with default certs which are created when we ran kubeadm init

Put lot of effort, with out any context of linking between various certificates. If kubectl certificate and api-server are two completely different certificates, how do both know each other is the key and missing price. Waste of time of everyone.

Nice Video. I realized just how insecure Kubernetes is because the ca.key is stored in plain text in /etc/kubernetes/pki. That is the private key of the root CA for every other service. Don't let that file get compromised!

Great video!!