Certificate signing in EKS

Question

A customer needs to generate X509 certificates in Kubernetes for their extensions (validating/mutating/conversion webhooks). [Standard way][1] is to use CertificateSigningRequest for this purpose, but EKS [does not have][2] CertificateSigning admission controller installed, so the CSR is not getting signed.

Is there either a way to enable CertificateSigning admission controller on EKS or any other best practice for generating and renewing X509 certificates for EKS cluster internal usage (i.e. kube-apiserver <-> custom-developped-webhook)?

[1]: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
  [2]: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html#platform-versions-1.19

Accepted Answer

I have encountered a similar issue. Admission controllers(mutating/validating) and kube-apiserver only communicate over HTTPS. The admission controller needs TLS certs.

I have few solutions to this problem that don't come natively with EKS but you can  use Open source solutions

1. Use **Cert-manager** (X.509 certificate management for Kubernetes) ; cert-manager is a certificate management controller that can run on EKS. cert-manager will issue certificates from Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. Big benefit is it will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry

2. An open source tool  called **k8s-webhook-cert-manager** can also be used in this scenario 
**Link:**  https://github.com/newrelic/k8s-webhook-cert-manager

3. Another open source tool is available which is based on the above tool called **k8s-webhook-certificator**
**Link:** https://github.com/Trendyol/k8s-webhook-certificator

I would recommend using **cert-manager** on EKS which is a CNCF project. If not other 2 tools mentioned.

Certificate signing in EKS

Relevant content