The world of cryptography is on the cusp of a major shift with the advent of quantum computing. While powerful quantum computers are still largely theoretical for many applications, their potential to break current cryptographic standards is a serious concern, especially for long-lived systems. This is where Post-Quantum Cryptography (PQC) comes in. In this article, I'll dive into what PQC means for TLS and, more specifically, for the Kubernetes ecosystem. I’ll explain what the (suprising) state of PQC in Kubernetes is and what the implications are for current and future clusters.

K8S Contributors

Kubernetes v1.33 now supports post-quantum cryptography by default through Go 1.24's implementation of X25519MLKEM768 hybrid key exchange. This quantum-resistant encryption protects against future quantum computer attacks on current cryptographic standards. While key exchange mechanisms are ready, post-quantum digital signatures face challenges with larger key sizes and performance overhead. The transition includes potential pitfalls like Go version mismatches causing downgrades to classical cryptography and packet size issues with ClientHello messages.

Post-Quantum Cryptography in Kubernetes

Key exchange vs. digital signatures: different needs, different timelines

State of PQC key exchange mechanisms (KEMs) today

Post-quantum KEMs in Kubernetes: an unexpected arrival