I see that kubelet is creating a pair of self-signed certificates in /var/run/kubernetes/:
# ll /var/run/kubernetes/
total 8
-rw-r--r--. 1 root root 1164 iul 6 05:38 kubelet.crt
-rw-------. 1 root root 1679 iul 6 05:38 kubelet.keyThose are used for his own tls configuration and have also set "CA:TRUE". If deleted, they are recreated.
My first questions is what is the purpose of making them with CA:true? Is kubelet creating other certificates with those? If yes, for what purpose?
Why is the apiserver automatically trusting those certificates?
Best regards, Cristian
kubelet needs certs for its HTTPS server on port 10250. It doesn't need to sign certs, so CA:TRUE is redundant. Not sure why it's created this way.
IIRC, kube-apiserver trusts any cert if it is run without the --tls-ca-file set. I recall that some of the older k8s tutorials didn't enforce TLS.
Also, anyone/anything will have unfettered access to kubelet until you turn on kubelet authentication.
In any case, your k8s cluster is insecure if it's run this way. I suggest using kargo, kops, kubeadm or any one of the well-known tools to raise your cluster. These solutions build a proper cert hierarchy as part of setup process.
Extra information from kubelet's docs:
--cert-dir string The directory where the TLS certs are located (by default /var/run/kubernetes). If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. (default "/var/run/kubernetes")
--tls-cert-file string File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to --cert-dir.
--port int32 The port for the Kubelet to serve on. (default 10250)