Day 20/#30daysofK8s

alias PP=Public-Private key pair

For any new user that joins the k8s cluster, need to generate their PP and get the certificate(public key) signed by the trusted CA of the cluster. This can happen like this —

1. New user generate PP.
2. New user sends a CSR to the cluster admin.
3. Cluster admin gets this CSR signed by the CA
4. Cluster admin sends the signed certificate back to the new user.

The certificate stays valid until it’s expiration date, once it reaches the EOL, the whole process should be repeated.

The CA is nothing but another PP stored on a dedicated server. The server that stores this PP becomes the CA for the cluster, this can even be the server master node.

This seems fine when the number of users is limited, but it makes more sense to automate the signing process when the number of users is huge.