Blog
Thoughts on engineering, design, and building great products.
Bundle Certs into kubeconfig and Configure Secret Encryption
The certificates are ready, but the Kubernetes binaries read them through a pre-bundled format: kubeconfig. This article generates kubeconfigs for admin, controller-manager, scheduler, kube-proxy and each kubelet — explaining the cluster/user/context model and why the control plane points at 127.0.0.1 while workers go through the load balancer. It ends by creating the Secret-at-rest encryption file for etcd.
Sign Every Certificate by Hand with cfssl
The core of 'from scratch': use cfssl to create three CAs (Kubernetes, etcd, front-proxy) then sign all the certificates for each component — apiserver with a full SAN, a kubelet per worker with special CN/O, controller-manager, scheduler, kube-proxy, the etcd client, and the service-account key pair. Each one done individually, each field correct, then verify the trust chain.
PKI and TLS: Why a Cluster Needs So Many Certificates
A Kubernetes cluster needs a dozen certificates and three separate CAs. This article explains the PKI/TLS model underpinning every connection in the cluster: who the CA signs for, how two-way mTLS works, and one easily-forgotten point — the CN and O fields in a certificate are the very identity and RBAC group the api-server trusts.
Ansible Vault: Managing Secrets
Passwords and API keys can't sit in plaintext in Git. Ansible Vault encrypts secrets with AES256, decrypting automatically at run time. This article: encrypt/view/edit secret files, encrypt_string for individual values, using them in a playbook, and best practices.
TLS/SSL: Encryption and Certificates
A deep dive into the 'S' in HTTPS: how TLS handshakes and encrypts, what a certificate contains, and how the chain of trust from a server certificate up to a root CA lets the browser trust a website. Observed live with openssl.
Firewalls and Network Security
Controlling who can connect to which port: a firewall filters traffic by IP, port, and direction. Understand the default-deny principle, stateful firewalls, iptables/nftables on Linux, ufw, and cloud security groups.
SSH and File Transfer: ssh, scp, rsync
How you actually get into a remote Linux server: SSH with key authentication (safer than passwords), a handy config file, and transferring files with scp and rsync. A foundational skill for everything you do on a server.