Certificates
Listing all the necessary certificates
This gives us an overview of all the certificates that we need to prepare for a fully functioning Kubernetes cluster:
etcdpeer certificate, for everyetcdinstance- server certificates:
etcdserver certificate, for everyetcdinstancekube-apiserverserver certificatekubeletserver certificate
- client certificates
kube-apiserverclient certificate to communicate withetcdkube-apiserverclient certificate to communicate withkubeletskubeletclient certificate to communicate withkube-apiserver, for every control and worker nodekube-schedulerclient certificate to communicate withkube-apiserverkube-controller-managerclient certificate to communicate withkube-apiserverkube-proxyclient certificate to communicate withkube-apiserver- client certificates for human users to communicate with the Kubernetes API (
kube-apiserver)
- certificate and key for verifying and signing service account tokens
Of course, every certificate must be signed by a Certificate Authority
Additional ones if needed
- Front Proxy Client and Server Certificates (for API Aggregation):
- If you are using API aggregation (e.g., for custom resources served by an extension API server), the
kube-apiserveracts as a front proxy. It needs a front-proxy client certificate to authenticate itself to the extension API servers. - The extension API servers also need a front-proxy CA certificate in their trust store to verify the client certificate presented by the
kube-apiserver. - The extension API servers themselves will also need their own server certificates to authenticate to the
kube-apiserverwhen thekube-apiserverconnects to them.
- If you are using API aggregation (e.g., for custom resources served by an extension API server), the
- Admission Webhook Certificates:
- If you use Validating or Mutating Admission Webhooks, the API server needs to securely communicate with the webhook service.
- The webhook server needs a server certificate to authenticate itself to the API server.
- The API server needs to trust the CA that signed the webhook server certificate (often configured via the
admissionregistration.k8s.io/v1API objects).
- Cloud Controller Manager Client Certificate:
- If you are running a Cloud Controller Manager outside of the
kube-controller-managerprocess (common in cloud provider integrations), it will need a client certificate to communicate with thekube-apiserver.
- If you are running a Cloud Controller Manager outside of the
- OpenID Connect (OIDC) Certificates (if used for authentication):
- If you configure the API server to authenticate users via an OIDC provider, the API server will need to trust the CA that signed the OIDC provider’s certificates. This isn’t a certificate for Kubernetes components but is necessary for a secure authentication flow.