I am getting confused with all the certificates and keys in Kubernetes.
Inside the master I have the following certificates and keys:
/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver.key
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.key
/var/lib/kubelet/pki/kubelet.crt
/var/lib/kubelet/pki/kubelet.key
The apiserver-kubelet-client (crt\key)
is used for secure communication between the apiserver and the kubelet inside the Master.
Why I have also the kubelet (crt\key)
? Isn't the apiserver-kubelet-client (crt\key)
is enough ?
Why I need apiserver (crt\key)
if I have apiserver-kubelet-client (crt\key)
?
Hope someone can make some order with this.
I read this article about Kubernetes PKI but I am still don't understand what is difference between the above certificates and keys.
While preparing certs, you will end up with at least 1 file.
You can read about it in Kubernetes docs here.
It’s hard to say by the names of your certs what are they used for. You should refer to the standard configuration. Besides, you can have a look at kelseyhightower/kubernetes-the-hard-way as he’s showing how and when to use certificates.
You can check this comment posted on Github regarding what kind of certifications are needed between which services.