Certificates in Kubernetes are primarily used to secure communication from and to the API server. Taken from the official Kubernetes documentation:

Every Kubernetes cluster has a cluster root Certificate Authority (CA). The CA is generally used by cluster components to validate the API server’s certificate, by the API server to validate kubelet client certificates, etc. To support this, the CA certificate bundle is distributed to every node in the cluster and is distributed as a secret attached to default service accounts. Optionally, your workloads can use this CA to establish trust. Your application can request a certificate signing using the certificates.k8s.io API using a protocol that is similar to the ACME draft.

When creating a cluster with kubeadm, the tool at first creates a CA in /etc/kubernetes/pki and signs all following certificates with its private key. The ca is later distributed on all nodes for verification and also found base64 encoded in /etc/kubernetes/admin.conf for verification of the api server via kubectl.

It is possible to use your own CA for cluster creation by placing it and your private key as ca.crt and ca.key in /etc/kubernetes/pki before invoking kubeadm init or any folder later specified with --cert-dir.

There are many other ways to install Kubernetes but they all essentially create a CA before any actual Kubernetes code runs or require one to exist beforehand.