I am new to kubernetes. here I have some confusions about the CA certificates used in a kubernetes cluster. As far as I know there are several CA certificates in kubernetes, but still not clear what each functionality of them. Here is my understanding of them, but still not sure of them.
Root CA also know as serving CA,
- it signs the apiserver certwhich are configured in the apiserver with --tls-cert-file and --tls-private-key-file.
- this CA certificate is configured in kube-controller-manager with --root-ca-file
Client CA
- this CA certificate can be a intermediate CA certificate signed by ROOT CA certificate.
- which is used to sign the individual components in cluster, help to identify their identities when RBAC and NODE authorization are enabled. for example, sign the kube-controller-manager, kube-scheduler, kube-proxy, kubelet.
- can be configured in apiserver with --client-ca-file
- requestheader client ca
- this CA certificate can also be a intermediate CA certificate signed by ROOT CA certificate.
- Still not understand what this CA is used for ? what scenario of the CA file, just found that if metric server is deployed, it will ask for requestheader related certificates and keys
- for --proxy-client-cert-file and --proxy-client-key-file in kube-apiserver, what the value of these parameter? can kubelet certificates and keys be used?
Besides these CA certificates, some other certificates relative confusions are also encountered.
- --service-account-key-file parameter in kube-apiserver and kube-controller-manager, which file can be configured? is the apiserver key file or ROOT CA key file ?
- what can be set to
--cluster-signing-cert-file and --cluster-signing-key-file in kube-controller-manager? can we use client ca and client ca key file?
