I have copied rancher config file to local kube config, and once I tried to connect, get an error
Unable to connect to the server: x509: certificate signed by unknown authorityI'm not admin of this cluster, and can't really change settings. So I googled that I can add
insecure-skip-tls-verify: trueAnd removed certificates, leaving only username and token, and it starts to work.
Can you explain me, is it safe to use it like so, and why do we need certs at all if it could work without it as well?
You may treat it as additional layer of security. If you allow someone ( in this case to yourself ) to connect to cluster and manage it without a need to have a proper certificate, just keep in mind you allow it for everyone else.
insecure-skip-tls-verify: trueis pretty self-explanatory - yes, it's insecure as it skips tls verification and it is not recommended on production. As you can read in documentation:
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
Username and token provide some level of security as they are still required to be able to connect but it has nothing to do with establishing secure trusted connection. By default it can only be done by clients who have also proper certificate. If you don't want to skip tls verification, you may want to try this solution. Only for kubernetes >= 1.15 use command kubeadm alpha certs renew all.
More about managing TLS Certificates in a Kubernetes Cluster you can read here.