Using kubectl behind SSL Interception Using kubectl behind SSL Interception kubernetes kubernetes

Using kubectl behind SSL Interception


ssl kubernetes kubectl azure-container-service

kubectl performs its own verification of the cluster's certificate outside of the OS' trusted certificate authorities, using the certificate authority defined in the certificate-authority-data field of the Kubeconfig file.

It is likely that the device performing the interception is a) replacing the cluster's certificate with its own, signed by a difference CA and b) unable to verify the cluster's certificate, which is signed by a different CA.

Depending on how the cluster is built, you may be able to issue certificates based on a pre-existing CA trusted by the interception device instead of a separate CA for the cluster. This is far beyond the scope of a StackOverflow answer; Kubernetes Up and Running and Kubernetes the Hard Way are good starting points, and you may need to read Kubernetes source code to get all the Key Usages of the certificates right.

It should be noted that SSL Interception is considered a bad practice (though it is widespread in some industries such as banking). TLS 1.3 is designed to prevent it entirely through the exclusive use of Perfect Forward Secrecy.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last