Implementing an Auditable Access Control Strategy Using Cluster Certificate Authority Rotation

This talk outlines a strategy for rotating Kubernetes cluster Certificate Authorities (CAs) with zero downtime. It covers the process of introducing a new CA, cross-signing with the old CA to maintain existing TLS connections, and updating various cluster components including server-side components, pod workloads, nodes (kubelets), administrators, and external automation. The discussion also touches upon considerations and challenges during production execution, such as application restarts, webhook policies, and ad hoc automation. The goal is to enable seamless CA rotation and effective access revocation to address changes in staff and credential exposures.