The certificate being used by the k8s API server on port 443 is an untrusted certificate.
PreviousHow to set GOMAXPROCS parameter for all node-exporter podsNextETCD not Initialising Over Masters due to Active Firewall
Last updated
Vulnerability checks report that the certificate used by the k8s API server on port 443 is not a trusted certificate.
Why not use a certificate signed by a trusted third-party Certificate Authority in PMK?
Platform9 Managed Kubernetes - All Versions
Pf9-Vault
PMK uses HashiCorp Vault to manage certificates. The certificates are issued by Vault's internal CA and are trusted within the environment. However, they may be flagged as untrusted by external tools unless the CA certificate is added to their trust stores.
Third-party CAs are useful when there are a large number of clients and they are unaware of the CA used by the server.
It is standard practice to use self-signed certificates to connect to the API server. From a Kubernetes perspective, the clients are known - they are the worker nodes and clients connecting using a kubeconfig.
In both cases, they are preconfigured to use the CAs generated by PMK. Platform9 owns the complete workflow of creating these certificates, distributing them to the server and clients, and rotating them when they are about to expire.
So, In this scenario, there won't be any additional security benefits of using third-party CAs.
If the customer is using Qualys for vulnerability checks:
The Qualys scan will report the certificates used by the API server as untrusted, which means the certificates issued by Vault are self-signed by Vault's internal CA, and the Qualys scanner does not have Vault's CA certificate in its trust store.
Qualys has a way to pass in custom CAs that it can trust during its tests: https://qualysguard.qualys.eu/qwebhelp/fo_portal/setup/win_trusted_ca.htm.
Last updated