Kubernetes TLS bootstrapping

Bootstrapping TLS based communication in Kubernetes

This post is about bootstrapping TLS based communication in Kubernetes for the sake of kubelets and nodes. There is of course Kubernetes documentation that directly supports TLS bootstrapping here https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/, and while the Kubernetes documentation is a must read, it’s not always something you can wholly rely on to fulfill your requirements; you might find yourself scouring over GitHub issues and Stack Overflow posts in effort to correct inconsistencies in relation to the specifics of your cluster. That said, this particular post is not written with the idea to replace the Kubernetes documentation on the subject, but rather to build context and add answers to questions that might otherwise not exist.

Note: This post is written with the consideration around Kubernetes 1.9.x “cluster from scratch”. If you’re using a version < 1.9.x, you’ll need to research any specific requirements there might be in getting the bootstrapping to work.

Also, this post assumes that you have a certificate authority created using cfssl, and correlating flags configured in etcd, the api-server, and kube-controller-manager so that there is encrypted and authenticated traffic between them all.