I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
Ingress client certificate authenticate requires CA certificate to be stored in secret?
553 views Asked by sg1993 At
1
There are 1 answers
Related Questions in KUBERNETES-INGRESS
- How can the ingress controller receive traffic from a certain port in loadbalancer to a specific path
- Cannot Access kubernetes application via ingress on Docker Desktop
- Error while minikube addons enable ingress on windows
- Nginx-Ingress connection to service timed out. 504 Gateway Timeout returned
- "Readiness probe failed: HTTP probe failed with statuscode: 503" at NGINX Insgress Controller pod in Kubernetes cluster
- Kubernetes Ingress Port to Port route
- Error configuration for nginx-ingress controller
- nginx-ingress is not able to route to pod application
- How to set AzureIngressProhibitedTarget without hostname?
- http app unreachable from tailscale and funnel and k8s
- How add a label from header in ingress-nginx for prom metrics
- helm chart testing connection failed
- 504 gateway timeout can lead to DB connection leak and how to fix
- Redirect from one alb to another one based on Authorization header content
- Next.js deployed locally with Kind - Error 502 Bad Gateway NGINX
Related Questions in AZURE-AKS
- Integrating Angular External IP with ClusterIP of .NET microservices on AKS
- Kubernetes : How to connect production and non-production Azure CLI simultaneously through windows system?
- Deploy Docker Image into AKS cluster using Azure Release Pipelines with the parameters like clustername, acr, resourcegroup
- Running Azure Function in AKS with Workload Identity and Eventhub Trigger
- Error while performing acr run build: MONGODB_URI environment variable in .env.local
- How can I deploy Ultralytics YOLOv8 on Azure AKS Specifically on the score.py file?
- Regex for azure kubernetes policy doesn't work
- How to know if API Version upgrade will effect AKS function or not?
- Azure DevOps self-hosted Pipeline Agent that can perform a docker build and push command
- Azure K8S Calico network policy is recommended for dev/test configuration. Not suitable for Production?
- Azure error writing parquet to ADLS Gen 2
- Does number of running pods in namespace cause performance issue?
- Resource Provider for AKS Backup Vault
- Qdrant:vectordb:Which shard is at which node? It seems like all shards are on the two nodes out of 4Replicas
- With Terraform, how do I integrate a basic-sku load balancer and basic-sku public ip address with an azurerm_kubernetes_cluster resource?
Related Questions in CLIENT-CERTIFICATES
- How to move updates from Google Play to another server
- Java, Spring, RestTemplate / WebClient, how to do client certificate authentication properly?
- How to embed client certificate into react native iOS app
- Get back deleted applications starting with 'dev' client-certificate authentication
- \n and \t getting removed from fast api request header , using uvicorn server
- Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'The specified network password is not correct.'
- OpenSSL client authentication and macos
- ECS - EC2 - Communication and Certificates
- Using NPM to authenticate with a remote Sonatype Nexus repository using a PKCS12 client certificate
- Azure web app can't load signing cert from certificate store
- where to store certifcates in windows for the software
- Azure APIM: Browser asking to choose Certificate every time for API testing in Developer Portal
- Spring Boot send Request to Soap client: client.WebServiceTransportException: Unauthorized [401]
- .pfx cert to DER encoded binary X.509
- Consume webservice protected with a certificate in C#
Related Questions in CA
- self signed certificate in certificate chain for postgressql, Prisma, and Dockerfile
- SSL communication to support CA Certificate(Public key certificate)
- How should I submit (or at least is it possible to submit) my CSR (PKCS#10 file) to a CA that uses an HSM?
- Certificate request with CRMF format
- Delete CA certificate but it is automatically restored - need to permanently delete it
- Retrieve a List of all the CAWA Applications
- CRL is expired, but ChainStatus is telling me RevocationStatusUnknown
- Trust user-added CA certificates in Flutter application
- Certificate chain not recognised by windows
- Is there any way to remove particular user indentity from Hyperledger Fabric CA by HLF Java SDK?
- ERROR: Could not install packages due to an OSError: Could not find a suitable TLS CA certificate bundle
- Creating self signed certificates for Raspberry Pi Pico with MQTT
- WebDriver, Chome on Ubuntu add Certificate Authority from CLI
- Is it possible to change the signature algorithm of intermediate CA without changing the root CA?
- nginx optional_no_ca on but nginx is issuing 400 "The SSL certificate error"
Related Questions in CACERTS
- Install CA with mkcert on local DDEV site with non-sudo user
- how does certifi 2024.2.2 version and certifi 2016.2.28 has same validity for their cacert.pem
- Unable to add certs to cacerts with eclipse-temurin JDK image
- Wweblogic: weblogic.xml.crypto.wss.WSSecurityConfigurationException: failed to get trusted CAs
- npm doesn't work in jenkins over docker container
- Grafana Loki TLS Encryption between Components
- Which Gateway API resource configuration that allows adding a ca certificate to a backend server
- Caddy webserver - unable to get local issuer certificate (TLS issue)
- What are the best practices when using a self-signed certificate in an Android app?
- Set custom trust store using JDK11
- Elastic Search returning null after some time
- How to install a self signed CA certificate programmatically on Android
- Is there a way to prevent libcurl from loading the default certificate file?
- Custom CA certificate using OpenSSL
- x509: certificate is not valid for any names, but wanted to match admission-controller.opa-istio.svc
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
The CA certificate
.crtfile doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store theca.crtin a Kubernetes Secret, it only required the private key for the server certificate.