I have a kubernetes cluster created with kops. And I see the below in apiserver commandline arguments.
--kubelet-client-certificate=/srv/kubernetes/kubelet-api.pem
--kubelet-client-key=/srv/kubernetes/kubelet-api-key.pem
How does a single cert and key will be used to communicate to all the worker nodes? Since I can see each worker node has its own certificate and root ca.
find below the extract from kubernetes documentation. It says that certificates are not validated when api server makes connection to kubelet.
The connections from the apiserver to a node, pod, or service default to plain HTTP connections and are therefore neither authenticated nor encrypted. They can be run over a secure HTTPS connection by prefixing https: to the node, pod, or service name in the API URL, but they will not validate the certificate provided by the HTTPS endpoint nor provide client credentials so while the connection will be encrypted, it will not provide any guarantees of integrity. These connections are not currently safe to run over untrusted and/or public networks.