> The Root CA certificate, etcd certificate, and API server certificate expired, which caused the cluster to stop working and prevented our management of it.
I've run into this and learned my lesson/gained my battle scars, but it just seems like unnecessary pain. Would it have been so bad for k8s to use something simple for securing communications other than the full TLS stack, right from the beginning?
It's so cumbersome and so many people run into this footgun that also happens to be proper security practice.
A symmetric key setup is simple and if it was available as a fallback all this pain could be avoided. It's not as secure, and you have to be careful with nonces and things but I'll take some somewhat distant insecurity (if someone is already inside your network and reading your asymmetric secrets you have other problems) for the better ergonomics and lower likelihood of blowing off my own foot.
Rolling your own key management system is not to be taken lightly. I've done it, and you really, really only want to do it when you really know other systems won't work.
Yeah but this isn't rolling your own key management system. This is the stupid simple every machine/program has the same shared secret approach.
The difficulty is securing comms between components (assuming they can reach each other, just making sure that the payloads are secret) and making sure you don't leak secrets unintentionally (forgetting nonces) and all the other hard crypto things.
But, it's not impossible to make a reasonable to use fallback system that does this, just no one does because of fear of being mocked for not just accepting the pain and bad ergonomics of TLS.
Other systems do work, but they have the footguns mentioned in the article that everyone seems to hit.
I've run into this and learned my lesson/gained my battle scars, but it just seems like unnecessary pain. Would it have been so bad for k8s to use something simple for securing communications other than the full TLS stack, right from the beginning?
It's so cumbersome and so many people run into this footgun that also happens to be proper security practice.
A symmetric key setup is simple and if it was available as a fallback all this pain could be avoided. It's not as secure, and you have to be careful with nonces and things but I'll take some somewhat distant insecurity (if someone is already inside your network and reading your asymmetric secrets you have other problems) for the better ergonomics and lower likelihood of blowing off my own foot.