Certificate signing in EKS
A customer needs to generate X509 certificates in Kubernetes for their extensions (validating/mutating/conversion webhooks). Standard way is to use CertificateSigningRequest for this purpose, but EKS does not have CertificateSigning admission controller installed, so the CSR is not getting signed.
Is there either a way to enable CertificateSigning admission controller on EKS or any other best practice for generating and renewing X509 certificates for EKS cluster internal usage (i.e. kube-apiserver <-> custom-developped-webhook)?
I have encountered a similar issue. Admission controllers(mutating/validating) and kube-apiserver only communicate over HTTPS. The admission controller needs TLS certs.
I have few solutions to this problem that don't come natively with EKS but you can use Open source solutions
Use Cert-manager (X.509 certificate management for Kubernetes) ; cert-manager is a certificate management controller that can run on EKS. cert-manager will issue certificates from Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. Big benefit is it will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry
An open source tool called k8s-webhook-cert-manager can also be used in this scenario Link: https://github.com/newrelic/k8s-webhook-cert-manager
Another open source tool is available which is based on the above tool called k8s-webhook-certificator Link: https://github.com/Trendyol/k8s-webhook-certificator
I would recommend using cert-manager on EKS which is a CNCF project. If not other 2 tools mentioned.
Relevant questions
CloudFront alternate domain name Certificates
Accepted Answerasked 3 years agoSigning a CSR using Private CA
Accepted Answerasked 2 years agoEKS Anywhere Support
asked 16 days agoHow to use the same ACM certificate with CloudFront and ELB
Accepted Answerasked 3 years agoClient VPN Endpoint Creation - Not Detecting Client Certificate in ACM
Accepted Answerasked 3 years agoACM domain validation: Renewal for internal or non public Load-Balancers
Accepted Answerasked 4 years agoCertificate signing in EKS
Accepted Answerasked a year agoUsing a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSK
asked 4 months agoCreating a custom domain name for a stage in API Gateway and attaching the cert
Accepted Answerasked 4 years agoImplications of automatic EKS Platform version update
asked 2 months ago