What is the purpose of kubelet tls certificates

Question

I see that kubelet is creating a pair of self-signed certificates in /var/run/kubernetes/:

# ll /var/run/kubernetes/
total 8
-rw-r--r--. 1 root root 1164 iul  6 05:38 kubelet.crt
-rw-------. 1 root root 1679 iul  6 05:38 kubelet.key

Those are used for his own tls configuration and have also set "CA:TRUE". If deleted, they are recreated.

My first questions is what is the purpose of making them with CA:true? Is kubelet creating other certificates with those? If yes, for what purpose?

Why is the apiserver automatically trusting those certificates?

Best regards, Cristian

Answer 1

kubelet needs certs for its HTTPS server on port 10250. It doesn't need to sign certs, so CA:TRUE is redundant. Not sure why it's created this way.

IIRC, kube-apiserver trusts any cert if it is run without the --tls-ca-file set. I recall that some of the older k8s tutorials didn't enforce TLS.

Also, anyone/anything will have unfettered access to kubelet until you turn on kubelet authentication.

In any case, your k8s cluster is insecure if it's run this way. I suggest using kargo, kops, kubeadm or any one of the well-known tools to raise your cluster. These solutions build a proper cert hierarchy as part of setup process.

Extra information from kubelet's docs:

--cert-dir string    The directory where the TLS certs are located (by default /var/run/kubernetes). If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. (default "/var/run/kubernetes")
--tls-cert-file string    File containing x509 Certificate for HTTPS.  (CA cert, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to --cert-dir.
--port int32    The port for the Kubelet to serve on. (default 10250)