What is the difference between apiserver-kubelet-client, apiserver and kubelet certificates

6/25/2018

I am getting confused with all the certificates and keys in Kubernetes.

Inside the master I have the following certificates and keys:

/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver.key

/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.key

/var/lib/kubelet/pki/kubelet.crt
/var/lib/kubelet/pki/kubelet.key

The apiserver-kubelet-client (crt\key) is used for secure communication between the apiserver and the kubelet inside the Master.
Why I have also the kubelet (crt\key)? Isn't the apiserver-kubelet-client (crt\key) is enough ?

Why I need apiserver (crt\key) if I have apiserver-kubelet-client (crt\key) ?

Hope someone can make some order with this.

I read this article about Kubernetes PKI but I am still don't understand what is difference between the above certificates and keys.

-- E235
kubernetes
pki
private-key
ssl-certificate

1 Answer

6/26/2018

While preparing certs, you will end up with at least 1 file.

  • CA_CERT
    • put in on node where apiserver runs, for example in /srv/kubernetes/ca.crt.
  • MASTER_CERT
    • signed by CA_CERT
    • put in on node where apiserver runs, for example in /srv/kubernetes/server.crt
  • MASTER_KEY
    • put in on node where apiserver runs, for example in /srv/kubernetes/server.key

You can read about it in Kubernetes docs here.

It’s hard to say by the names of your certs what are they used for. You should refer to the standard configuration. Besides, you can have a look at kelseyhightower/kubernetes-the-hard-way as he’s showing how and when to use certificates.

You can check this comment posted on Github regarding what kind of certifications are needed between which services.

-- Crou
Source: StackOverflow