Bundle Certs into kubeconfig and Configu...
DevOpsSecurity

Bundle Certs into kubeconfig and Configure Secret Encryption

The certificates are ready, but the Kubernetes binaries read them through a pre-bundled format: kubeconfig. This article generates kubeconfigs for admin, controller-manager, scheduler, kube-proxy and each kubelet — explaining the cluster/user/context model and why the control plane points at 127.0.0.1 while workers go through the load balancer. It ends by creating the Secret-at-rest encryption file for etcd.

K
KaiMay 24, 2026· 37 views
Sign Every Certificate by Hand with cfss...
DevOpsSecurity

Sign Every Certificate by Hand with cfssl

The core of 'from scratch': use cfssl to create three CAs (Kubernetes, etcd, front-proxy) then sign all the certificates for each component — apiserver with a full SAN, a kubelet per worker with special CN/O, controller-manager, scheduler, kube-proxy, the etcd client, and the service-account key pair. Each one done individually, each field correct, then verify the trust chain.

K
KaiMay 24, 2026· 36 views
PKI and TLS: Why a Cluster Needs So Many...
DevOpsSecurity

PKI and TLS: Why a Cluster Needs So Many Certificates

A Kubernetes cluster needs a dozen certificates and three separate CAs. This article explains the PKI/TLS model underpinning every connection in the cluster: who the CA signs for, how two-way mTLS works, and one easily-forgotten point — the CN and O fields in a certificate are the very identity and RBAC group the api-server trusts.

K
KaiMay 24, 2026· 43 views
Ansible Vault: Managing Secrets
DevOpsSecurity

Ansible Vault: Managing Secrets

Passwords and API keys can't sit in plaintext in Git. Ansible Vault encrypts secrets with AES256, decrypting automatically at run time. This article: encrypt/view/edit secret files, encrypt_string for individual values, using them in a playbook, and best practices.

K
KaiMay 23, 2026· 18 views
TLS/SSL: Encryption and Certificates
DevOpsSecurity

TLS/SSL: Encryption and Certificates

A deep dive into the 'S' in HTTPS: how TLS handshakes and encrypts, what a certificate contains, and how the chain of trust from a server certificate up to a root CA lets the browser trust a website. Observed live with openssl.

K
KaiMay 23, 2026· 18 views
Firewalls and Network Security
DevOpsSecurity

Firewalls and Network Security

Controlling who can connect to which port: a firewall filters traffic by IP, port, and direction. Understand the default-deny principle, stateful firewalls, iptables/nftables on Linux, ufw, and cloud security groups.

K
KaiMay 23, 2026· 10 views
SSH and File Transfer: ssh, scp, rsync
DevOpsSecurity

SSH and File Transfer: ssh, scp, rsync

How you actually get into a remote Linux server: SSH with key authentication (safer than passwords), a handy config file, and transferring files with scp and rsync. A foundational skill for everything you do on a server.

K
KaiMay 23, 2026· 8 views