If you’re running a Kubernetes cluster with kubeadm, you might think certificates are just a "set-and-forget" feature—but they’re crucial to securing your cluster.

In this issue, we’ll cover everything about Kubernetes certificates, including:

✅ How Kubernetes uses certificates
✅ Where certificates are stored
✅ Certificate expiration and renewal
✅ CA certificate management
✅ Automating certificate rotation
✅ Handling internal CAs in secure enterprise environments
✅ How update-ca-trust works in Linux

By the end, you'll have a solid understanding of Kubernetes certificate management and the tools to ensure your cluster remains secure and operational.

Let’s dive in! 🚀

How Kubernetes Uses Certificates

Kubernetes uses TLS certificates for secure communication between:

🔹 The API server and kubelet
🔹 The API server and etcd
🔹 The API server and the controller manager, scheduler, and other control plane components
🔹 Users (kubectl) accessing the API server
🔹 External services interacting with Kubernetes

Each component authenticates with certificates to ensure that no unauthorized services can communicate with the cluster.

Where Kubernetes Stores Certificates

When you create a cluster using kubeadm, it automatically generates certificates and stores them in:

📁 /etc/kubernetes/pki/

Here’s a breakdown of key files:

Each of these certificates plays a role in securing different parts of the Kubernetes cluster.

Checking Kubernetes Certificate Expiry

Kubeadm-generated certificates expire after 1 year, except for CA certificates, which last 10 years.

To check expiration dates, run:

kubeadm certs check-expiration

🚨 If any certificates are close to expiring, renew them ASAP!