How can we improve the Azure Kubernetes Service (AKS)?

← Azure Kubernetes Service (AKS)

AKS masters should use real TLS cert instead of "Kubernetes Ingress Controller Fake Certificate"

Currently masters are using fake TLS (SSL) cert. This could probably be fixed easily.

openssl s_client -connect cluster-whatever.hcp.westeurope.azmk8s.io:443
CONNECTED(00000005)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=21:unable to verify the first certificate

verify return:1

Certificate chain
0 s:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate

i:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate

Server certificate
-----BEGIN CERTIFICATE-----
MIIDcDCCAligAwIBAgIRAM4H3...
....

A7Ika/pFFeZcS5K+sfGjKUX6Pl8=
-----END CERTIFICATE-----
subject=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate

issuer=/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate

No client certificate CA names sent

Server Temp Key: ECDH, X25519, 253 bits

....
....

Timeout   : 7200 (sec)

Verify return code: 21 (unable to verify the first certificate)

Using fake certs prevents us from using a hostname verifier in TLS

4 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Stefan Landrø shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment

Azure Kubernetes Service (AKS): Integration with 3rd party tools and frameworks

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice