-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Explanation for Certificate Refreshes (#637)
This commit adds an Explanation for Certificate Refreshes
- Loading branch information
1 parent
2ad8afb
commit f5acf06
Showing
2 changed files
with
60 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| # Certificates | ||
|
|
||
| Certificates are a crucial part of Kubernetes' security infrastructure, serving | ||
| to authenticate and secure communication within the cluster. They play a key | ||
| role in ensuring that communication between various components (such as the | ||
| API server, kubelets, and the datastore) is both encrypted and restricted to | ||
| authorised components only. | ||
|
|
||
| In Kubernetes, [X.509][] certificates are primarily used for | ||
| [Transport Layer Security][] (TLS), securing the communication between the | ||
| cluster's components. | ||
|
|
||
| ## What Is a Certificate Refresh? | ||
|
|
||
| A certificate refresh in {{product}} refers to the process of renewing or | ||
| rotating certificates before they expire. Kubernetes certificates have | ||
| a specific validity period, after which they expire and are no longer | ||
| considered valid. Expired certificates lead to failures in communication | ||
| between cluster components, potentially disrupting the functionality of the | ||
| entire cluster. | ||
|
|
||
| Regular certificate refreshes ensure that the certificates in use are valid and | ||
| secure, preventing unauthorised access or communication failures. | ||
|
|
||
| ## Importance of Certificate Refreshes | ||
|
|
||
| Regularly refreshing certificates in Kubernetes is essential for maintaining | ||
| the reliability of the cluster. Here are some reasons why certificate refreshes | ||
| are important: | ||
|
|
||
| ### Maintaining Cluster Security | ||
|
|
||
| Certificates are crucial for securing Kubernetes clusters, ensuring encrypted | ||
| and authenticated communication between components. If a certificate expires | ||
| and isn't promptly renewed, it can leave the cluster vulnerable to security | ||
| risks, potentially exposing it to unauthorised access. Regular certificate | ||
| refreshes prevent this by ensuring only valid certificates are used, | ||
| maintaining the cluster's security. | ||
|
|
||
| ### Preventing Downtime | ||
|
|
||
| Kubernetes relies on certificates for internal communication between critical | ||
| components, such as the kubelet, API server, and datastore. Expired | ||
| certificates can hinder this communication, leading to potential downtime and | ||
| workload disruptions. Proactively refreshing certificates before they expire | ||
| helps maintain uninterrupted cluster operations. | ||
|
|
||
| ### Security Compliance | ||
|
|
||
| Security standards, such as [CIS][], often require the regular rotation of | ||
| credentials, including certificates. Periodically renewing Kubernetes | ||
| certificates ensures that the cluster meets security standards and compliance | ||
| requirements. | ||
|
|
||
| <!-- LINKS --> | ||
|
|
||
| [CIS]: https://www.cisecurity.org/controls | ||
| [Transport Layer Security]: https://datatracker.ietf.org/doc/html/rfc8446 | ||
| [X.509]: https://datatracker.ietf.org/doc/html/rfc5280 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,6 +12,7 @@ Overview <self> | |
| ```{toctree} | ||
| :titlesonly: | ||
| about | ||
| certificates | ||
| channels | ||
| clustering | ||
| ingress | ||
|
|
||