As I understand kube-api server acts as a client when communicating with ETCD and Kubelet. Both ETCD and Kubelet act as servers for kube-api. With secure environment (two way SSL authentication), kube-api server needs the ETCD and Kubelet certificates and the CA certificate. What I don't understand is why do we need to provide the private keys of ETCD (etcd-keyfile) and Kubelet (kubelet-client-key) while configuring kube-apiserver.yaml ?
Asked
Active
Viewed 165 times
1 Answers
6
Because etcd uses X.509 mutual TLS authentication in kubernetes, so the apiserver needs to be able to prove it has ownership over the client certificate that is presented to the server, and that happens via private key
There are other authentication options for etcd, but kubernetes doesn't use them, and it's unclear if the apiserver even offers a non-TLS authentication option for connecting to etcd, even if you wanted to
mdaniel
- 2,338
- 1
- 8
- 13
-
Thanks @mdaniel I was confused over mutual authentication initially, so what we provide on api-server.yaml are the api-server client certificates generated for ETCD and Kubelet. Since api-server have the ownership on certs (as you mentioned) the keys are also provided on the api-server.yaml. – srinu259 May 01 '20 at 08:08