Kubernetes & Cloud Native

Kubernetes relies on PKI for all internal authentication: API server, kubelets, etcd, and service accounts. Here's how the cluster PKI works, what certificates exist, and where security gaps hide.

Service meshes like Istio and Linkerd automate mTLS between pods — issuing certificates, rotating them, and encrypting traffic without application code changes. Here's how it works and where it breaks.

Kubernetes uses TLS certificates for cluster communication, ingress termination, and service-to-service encryption. Here's where certificates live in K8s, how they're managed, and where they expire without warning.

cert-manager automates TLS certificate issuance and renewal in Kubernetes using ACME, Vault, private CAs, and more. Here's how it works, how to configure it, and where it fails silently.

Workload identity assigns cryptographic identities to software workloads (pods, VMs, serverless functions) instead of relying on network location or static credentials. Here's how SPIFFE, cloud workload identity, and service meshes implement it.