KubeCon + CloudNativeCon Europe 2023

Changes in staff and credential exposures require organizations to have an enforcable strategy to revoke and renew access to Kubernetes clusters. Cluster certificate authorities need to be rotated in addition to the downstream certificates these cluster CAs sign to implement an access renewal and revocation strategy. Certificates issued by the cluster CA including node kubelet client certificates, node kubelet server certificates, and cluster administrator certificates need to be able to be rotated in a zero downtime fashion in order to maintain availability throughout this revocation process. This talk outlines a strategy that organizations can utilize to rotate cluster CAs with zero downtime using CA cross signing. We will visually walkthrough the workflow and how certificates for individual critical cluster components change throughout the rotation process. We will touch on how cross signing enables this process to occur without any downtime to existing components running within the cluster. We will then touch on how new access can be granted to the cluster once the rotation process is complete.