kubernetesgoogle-kubernetes-engineetcdkubernetes-security

Seperate CA for etcd in Kubernetes?


I was going through Control Plane Security in Google cloud(GKE) course and referring to 'certificate authority and cluster trust' in the link below and have these questions. Can someone clarify these ?.

https://cloud.google.com/kubernetes-engine/docs/concepts/control-plane-security

  1. Learnt that every cluster has its on CA that would issue certificates, this part is fine.. there is also a mention on etcd having seperate CA... does it mean a cluster has two CAs, one for rest of the components and one for etcd Or is it just one CA for whole control plane ?
  2. It also says, each cluster has its own 'root' CA..I know what CA is, what does root Certificate Authority mean ?

Thanks in advance...


Solution

  • 1.- That's correct. There is one certificate for masters and nodes components, and another one for etcd. This article explains is better. Note that it's a GKE approach, not Kubernetes.

    2.- The article I passed also explains this second points. Indeed there are two CAs. I quote "In GKE, the master API certificate is signed by the cluster root CA. Each cluster runs its own CA, so that if one cluster's CA were to be compromised, no other cluster CA would be affected".