All posts
September 8, 20251 min read

Your cluster just failed because of an expired certificate.

It shouldn’t have. Certificate rotation in Kubernetes is not hard, but most clusters run it wrong. The result? Security holes, broken workloads, and downtime that nobody saw coming. Add Kubernetes Network Policies into the picture and you either have a fortress or a mess. Which one you get depends on whether you treat rotation and policy as a single, living system. Certificates in Kubernetes exist everywhere: API server, kubelets, controllers, webhook services, ingress. They expire. If you rely

Free White Paper

DPoP (Demonstration of Proof-of-Possession) + Certificate-Based Authentication: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

It shouldn’t have. Certificate rotation in Kubernetes is not hard, but most clusters run it wrong. The result? Security holes, broken workloads, and downtime that nobody saw coming. Add Kubernetes Network Policies into the picture and you either have a fortress or a mess. Which one you get depends on whether you treat rotation and policy as a single, living system.

Certificates in Kubernetes exist everywhere: API server, kubelets, controllers, webhook services, ingress. They expire. If you rely on manual renewal, you are trusting human schedules over the unforgiving clock in your cluster. Automatic certificate rotation is built into Kubernetes, but it’s only reliable when configured, tested, and observed. Without that, your Not After date becomes an outage date.

Network Policies decide which pods can talk. Not configuring them is like giving every pod unrestricted root access to your network. But configuring them without considering certificate updates is a trap. When certificates rotate, pods may restart or new pods replace old ones. Labels might change. Endpoints may shift. A policy that was airtight yesterday can leak today if selectors don’t match rotated workloads.

Continue reading? Get the full guide.

DPoP (Demonstration of Proof-of-Possession) + Certificate-Based Authentication: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The right way to manage this is to make certificate rotation and Network Policies one workflow. Automate rotation with short-lived certs and a renewal system you can trigger, observe, and rollback. Pair that with policies that select by intent, not by fragile runtime labels. Test rotation inside staging with policies enforced. Watch what breaks before production teaches you the lesson.

Kubernetes will not warn you if your pod-to-pod encryption silently stops working because a cert expired and your policy blocked the fallback path. It will just stop delivering packets. Which is exactly what you want your policy to do—if and only if the certs match reality.

This is not about “best practices.” It’s about uptime and integrity. Treat every certificate and every network policy as part of the same trust graph. Rotate together. Audit together. Alert together.

You can see how this works without spending days building a lab. Run it live in minutes at hoop.dev and watch rotation, policy, and trust lines move in real time. Then ship it to production before the next expiration takes you down.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts