Kubelet server side certificate validation by API server


#1

Hi
As per docs kubelet creates its own self signed certificate, in case not given,to run in https mode.

Since this is a self signed certificate generated at start ,the ca for this is not shared with apiserver or anyone else
Question is how someone reaching to kubelet say for example apiserver validates the https (server side) certificate of kubelet

Thanks


#2

It should only generate its own self-signed certificate if no certificate is provided.

--tls-cert-file string
File containing x509 Certificate used for serving HTTPS (with intermediate certs, if any, concatenated after server cert). If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to --cert-dir.

#3

Hi
Thanks for the revert.
I figured the same thing which u pointed.
And so is the case,in my setup it is generating certs at start time and hence I am curious how the communication is happening