I'm bit confused with clients private key. For example when and how will admins(kubectl) private key be used? Isnt it only the client certificate that is required for the server side?
These certs are self-signed. In baremetal kubernetes cluster, how do we manage these certs. Usually, in PROD, do we replace the certs by getting them from security team? Please explain on how we renew them or manage them in realtime PROD scenario. From where do we get the certs and do we replace ca.crt and ca.key and all the certs for different components etc... My understanding is that we dont use self-signed certs for PROD environment. Hope, you got my query. Thanks!
Does a pod or container on the worker node also recieve a certificate? How can the communication with the applications in them or the pods/containers themselves take place in a secure manner?
This is a good question, this video is to discuss how components of the kubernetes communicate with each other. What you are asking is at the application level, your application needs to manage its own certificate on client and server sides. I will do some research and post a video on this interesting topic!
Hi I want to replace my ca.crt and I don't have .key file for it as it a corporate certificate how can I create other certs using this cert and i have already deployed cluster with default certs which are created when we ran kubeadm init
Hello, we have a single box K8S cluster and i see cert is expired as i am getting 509x error while get pods. So how do i renew them, also as i am unable to connect to cluster or get pots etc..... do i need to take backup of pods or any config ? if yes how to see them and what configs should i take backup. i know bit of k8s but the team who managed this cluster, are not supporting anymore. could me help me in this regard's - suggesting any links
Hi Vamshi, thanks for watching this video! Refer to kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ to answers to your question. It has steps on how to do certificate renewal.
Really liked the concept, thanks for the detailed information provided. One question, if the api-server cert is expired , do we need to generate a new api-server.key and new csr or we sign the same csr with the ca.key and ca.crt?
Thanks for visiting my channel. Please refer to kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ for setting up automatic or manual renewal of certs.
Thanks.. Very good explanation ... Just have one question, How api-server validate the certificate sent by admin user ? Does he has the Admin certificate installed ?
Put lot of effort, with out any context of linking between various certificates. If kubectl certificate and api-server are two completely different certificates, how do both know each other is the key and missing price. Waste of time of everyone.
Nice Video. I realized just how insecure Kubernetes is because the ca.key is stored in plain text in /etc/kubernetes/pki. That is the private key of the root CA for every other service. Don't let that file get compromised!
Good presentation, useful info for my deeper understanding of how certs work in k8s! Thx!
Thanks for your visit and comments. Thanks!
Thank you so much for this video. Good efforts!
Thanks for this very insightful
I'm bit confused with clients private key. For example when and how will admins(kubectl) private key be used? Isnt it only the client certificate that is required for the server side?
Thank you so much. This is all about Kubernetes certificates :)
You're most welcome!
Hi
Can you guide me,my cluster ca.crt is going to expire in 2days, how should I renew the ca.crt in running cluster.
One of the best videos abt certificate
Wow, thanks!
These certs are self-signed. In baremetal kubernetes cluster, how do we manage these certs. Usually, in PROD, do we replace the certs by getting them from security team? Please explain on how we renew them or manage them in realtime PROD scenario. From where do we get the certs and do we replace ca.crt and ca.key and all the certs for different components etc... My understanding is that we dont use self-signed certs for PROD environment. Hope, you got my query. Thanks!
Hey @robertsarnapeta5825 have you got the answer for it?
Hi can you please help me where I can find ca.key inside the eks cluster 1.26
Does a pod or container on the worker node also recieve a certificate? How can the communication with the applications in them or the pods/containers themselves take place in a secure manner?
This is a good question, this video is to discuss how components of the kubernetes communicate with each other. What you are asking is at the application level, your application needs to manage its own certificate on client and server sides. I will do some research and post a video on this interesting topic!
the way you created the kube-apiserver cert is wrong cause the alternate dns names were not defined, it does work partially in a k8s cluster
You didn't really explain, are you on filesystem of master node or ?
Hi I want to replace my ca.crt and I don't have .key file for it as it a corporate certificate how can I create other certs using this cert and i have already deployed cluster with default certs which are created when we ran kubeadm init
Hi Super! Thanks for visiting.. I think you can creaet and place the certs on an existing kube environment.
Bro super teaching
Thank you so much 🙂
Hello,
we have a single box K8S cluster and i see cert is expired as i am getting 509x error while get pods.
So how do i renew them, also as i am unable to connect to cluster or get pots etc..... do i need to take backup of pods or any config ? if yes how to see them and what configs should i take backup.
i know bit of k8s but the team who managed this cluster, are not supporting anymore. could me help me in this regard's - suggesting any links
Hi Vamshi, thanks for watching this video! Refer to kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ to answers to your question. It has steps on how to do certificate renewal.
From Viet Nam. Thanks
Really liked the concept, thanks for the detailed information provided. One question, if the api-server cert is expired , do we need to generate a new api-server.key and new csr or we sign the same csr with the ca.key and ca.crt?
Thanks for visiting my channel. Please refer to kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ for setting up automatic or manual renewal of certs.
Thanks.. Very good explanation ...
Just have one question, How api-server validate the certificate sent by admin user ? Does he has the Admin certificate installed ?
Trust is the answer..
Put lot of effort, with out any context of linking between various certificates. If kubectl certificate and api-server are two completely different certificates, how do both know each other is the key and missing price. Waste of time of everyone.
Can you explain more!?
Nice Video. I realized just how insecure Kubernetes is because the ca.key is stored in plain text in /etc/kubernetes/pki. That is the private key of the root CA for every other service. Don't let that file get compromised!
Agree!!