Blog
Thoughts on engineering, design, and building great products.
Sign Every Certificate by Hand with cfssl
The core of 'from scratch': use cfssl to create three CAs (Kubernetes, etcd, front-proxy) then sign all the certificates for each component — apiserver with a full SAN, a kubelet per worker with special CN/O, controller-manager, scheduler, kube-proxy, the etcd client, and the service-account key pair. Each one done individually, each field correct, then verify the trust chain.
PKI and TLS: Why a Cluster Needs So Many Certificates
A Kubernetes cluster needs a dozen certificates and three separate CAs. This article explains the PKI/TLS model underpinning every connection in the cluster: who the CA signs for, how two-way mTLS works, and one easily-forgotten point — the CN and O fields in a certificate are the very identity and RBAC group the api-server trusts.
TLS/SSL: Encryption and Certificates
A deep dive into the 'S' in HTTPS: how TLS handshakes and encrypts, what a certificate contains, and how the chain of trust from a server certificate up to a root CA lets the browser trust a website. Observed live with openssl.