Securing cluster access with mTLS client certificates

vladidobro · October 3, 2025, 7:49am

Hello,

I have setup dask-kubernetes operator on k8s, and everything is working fine, but I have some problems exposing the scheduler outside of k8s to our company VPN.

The scheduler uses raw TCP, so I can simply expose the port through a k8s LoadBalancer or Traefik proxy. But then it is open to the whole network.

I would like to configure the scheduler to only accept clients signed by a certain CA, and keep all other (scheduler ↔ worker) traffic be unencrypted. Is something like this possible with the current cluster configuration options?

Thank you

guillaumeeb · October 3, 2025, 8:52am

Hi,

I’ll let @jacobtomlinson answer to this, but I’m under the impression that it is more a Kubernetes configuration than anything else. I don’t think you can do it by configuring dask-kubernetes.

jacobtomlinson · October 7, 2025, 1:39pm

This isn’t really related to dask-kubernetes. In distributed we support encrypting connections with mTLS regardless of how you deploy it, however I think it is all-or-nothing so if you enable it then then worker<>scheduler communication will be encrypted too.

Topic		Replies	Views
Exposing Dask Gateway, Scheduler and TLS Termination on AWS Deploying Dask	0	353	April 28, 2022
Dask in k8s external client access Deploying Dask kubernetes	5	578	February 21, 2022
DASK TLS setup worker issue Distributed	4	153	October 19, 2023
KubeCluster for Adaptive Dask Deploying Dask kubernetes	19	250	August 25, 2022
Dask Gateway Client SSL configuration Distributed dask-gateway , distributed	2	853	May 2, 2022

Securing cluster access with mTLS client certificates

Related topics