K
Q

Secure Kubernetes DaemonSet pods with TLS

12/3/2019

I have a Kubernetes DaemonSet that does some stuff when clients send requests to them.
The clients send requests directly to the DaemonSet pods using the Node IP and Known Port method as documented here.

All pods in the DaemonSet have the same server certificate and key attached to them by a ConfigMap.

My question is how do I get the clients to "trust" the certificate presented by the pods?

One of the clients rightfully complains that there is no CN or IP SANS in the certificates since they are created before the DaemonSet pods are instantiated.

Since these DaemonSet pods created dynamically when nodes are added into the cluster AND because all pods share the same spec, I am unable to dynamically / automatically issue a specific certificate for the pod.

Is there some way around this?

-- user2624119
kubernetes
kubernetes-pod
ssl
tls1.2

Similar Questions

Elasticsearch on Kubernetes - 'Elastic Cloud (ECK)' vs 'Helm charts'
Nginx Status Code 499 using Google Cloud Kubernetes TCP Load Balancer
Clients get a RemoteDisconnected error at 60s from my flask/gunicorn/nginx-ingress stack. Why? Timeouts set...nothing
Error: `selector` does not match template `labels` after adding selector

0 Answers