Why are there so many certificates in a Kubernetes cluster?

Question

One Kubernetes cluster contains several components, for example, kubelet, etcd, api-server, etc.

We need to set up many certificates and keys when setting up a cluster, then they can carry these certificates to communicate with each other.

> kubectl describe pod kube-apiserver-controlplane -n=kube-system


Name:                 kube-apiserver-controlplane
Namespace:            kube-system
...
Controlled By:  Node/controlplane
Containers:
  kube-apiserver:
    Container ID:  docker://6974d026de0b2fadb3d2628d0df971ddc4c3d772665b2cd960a1d0e385f97a5d
    Image:         k8s.gcr.io/kube-apiserver:v1.20.0
    Image ID:      docker-pullable://k8s.gcr.io/kube-apiserver@sha256:8b8125d7a6e4225b08f04f65ca947b27d0cc86380bf09fab890cc80408230114
    Command:
      kube-apiserver
      ...
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
      --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
      --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
      --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
      --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
      ...
      ...

I know the concept of Certificate Authority(CA), Certificate, mTLS, and the mechanism of HTTPs.

I know the zero-trust model.

But I don't understand what security risk these Kubernetes certificates try to solve.

If the hacker can get root access to our node, they can view everything including the certificate, this complexity seems not to give us more security.

Questions

• What security risks are the most important (common) for a Kubernetes cluster?

• If I don't use certificates to protect internal communication within a cluster, how will the hacker attack me?

  As far as I know, the communication between AWS load balancer and EC2 is HTTP instead of HTTPs, it seems fine. Why are certificates not required between the load balancer and EC2, but required within a Kubernetes cluster?

Answer 1

Trying to answer your multiple questions from my view:

But I don't understand what problem these Kubernetes certificates try to solve.

1. According to Zero trust security model, the main concept behind the zero trust security model is "never trust, always verify”.

   Kubernetes expects that all API communication in the cluster is encrypted by default with TLS, which always checks the identity and integrity of communication between different components.

   One common scenario is referred to as a man-in-the-middle attack.

What security risks are the most important (common) for a Kubernetes cluster?

2. I think the most important security emphysis for a Kubernetes cluster are tls for all traffic/Authentication/Authorization.

   You could also refer to the official docs: securing your cluster

If I don't use certificates to protect internal communication within a cluster, how will you attract me?

3. Better not do that.

Why are certificates not required between the load balancer and EC2, but required within a Kubernetes cluster?

4. That's two different concepts.

   AWS load balancer and EC2 are infrastructure-layer(Iaas) components, which are only responsible for transmitting data stream. You can enforce security options on your own.

   On the other hand, components within a Kubernetes cluster are application-layer ones, which should include secure in-cluster communication by default.