Home Explore Blog CI



kubernetes
1st chunk of `content/en/blog/_posts/2018-01-00-Reporting-Errors-Using-Kubernetes-Events.md`
21cb3b319e49f165af90b80a81825cab185bf2fbfcd9c3d9000000010000086c
---
title: "Reporting Errors from Control Plane to Applications Using Kubernetes Events"
date: 2018-01-25
slug: reporting-errors-using-kubernetes-events
url: /blog/2018/01/Reporting-Errors-Using-Kubernetes-Events
author: >
  Hakan Baba (Box)
---

At [Box](https://www.box.com/), we manage several large scale Kubernetes clusters that serve as an internal platform as a service (PaaS) for hundreds of deployed microservices. The majority of those microservices are applications that power box.com for over 80,000 customers. The PaaS team also deploys several services affiliated with the platform infrastructure as the _control plane_.  

One use case of Box’s control plane is [public key infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) (_PKI_) processing. In our infrastructure, applications needing a new SSL certificate also need to trigger some processing in the control plane. The majority of our applications are not allowed to generate new SSL certificates due to security reasons. The control plane has a different security boundary and network access, and is therefore allowed to generate certificates.  


| 
  |
| Figure1: Block Diagram of the PKI flow |


If an application needs a new certificate, the application owner explicitly adds a [Custom Resource Definition](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/) (CRD) to the application’s Kubernetes config [1]. This CRD specifies parameters for the SSL certificate: _name, common name, and others_. A microservice in the control plane watches CRDs and triggers some processing for SSL certificate generation [2]. Once the certificate is ready, the same control plane service sends it to the API server in a Kubernetes [Secret](/docs/concepts/configuration/secret/) [3]. After that, the application containers access their certificates using Kubernetes [Secret VolumeMounts](/docs/concepts/storage/volumes/#secret) [4]. You can see a working demo of this system in our [example application](https://github.com/box/error-reporting-with-kubernetes-events) on GitHub.
Title: PKI Processing in Kubernetes at Box
Summary
Box uses Kubernetes clusters as a PaaS. Applications needing SSL certificates trigger processing in the control plane. Applications add a Custom Resource Definition (CRD) to their Kubernetes config, specifying certificate parameters. A control plane microservice watches CRDs and generates the certificate. Once ready, the control plane service sends it to the API server in a Kubernetes Secret, which the application containers can then access.