A third-party service may wish to connect to a Kubernetes workload cluster via kubeapi to conduct maintenance or security-related tasks, such as inject secrets from a remote secure store. The third party will want assurance that they are connecting to the right host, and will accomplish this via standard PKI techniques. Namely, they will be provided a TLS Server Certificate, and validate that Certificate’s issuing Certificate Authority through a trusted hierarchy.

This means that the Platform Owner must configure the Control Plane Service with a securely provisioned certificate, as well as make sure the internal Kubernetes control plane components are not impacted or confused.

Options

  • Using standard Kubernetes bootstrap and certificate management, it is possible to provide the target cluster with a trusted Certificate Authority. However, Certificate Authorities, including intermediate CAs, are not usually available in enterprise environments. Lifecycle maintenance activities may also be impacted.
  • An Operator could directly connect to the Kubernetes Control Plane Nodes via ssh and replace certain certificates, as described in Kubernetes documentation. This would present several maintenance challenges, including allowing the Control Plane to be accessed by other environment components that are not aware of the third party requirement.
  • An external load balancer may be configured to provide TLS Termination from the client, using preferred certificates, and then re-encryption with the target’s Certificate and Certificate Authority.
  • A secondary Kubernetes Ingress object may be provisioned that provides secondary access to the service/control-plane. This secondary ingress will be provisioned with the selected Certificate, while other uses access the primary ingress unchanged.
  • There may be other methods, as the ways to configure Kubernetes to do strange and wonderful things is limited only by the user’s imagination and patience.

Later blog posts and associated git repos explore achieving this with Contour, AVI load balancer, and HAProxy.