Why kubeconfig needs the CA certificate?
Sep 30, 2022
- If you look at your kubeconfig you’ll notice for each of your clusters there’s a CA certificate
- If you try to remove it kubectl will complain as it’s “Unable to connect to the server: x509: certificate signed by unknown authority”
- Note that your clients (browsers, curl, …) always have a set of CA certs to trust. They’re saved somewhere in the fs based on the operating system. kubectl is not exception
- The CA cert you’re providing to kubectl is the cert of the root CA that’s used by other K8s certificates (e.g. the TLS certificate of the API server)
- When you connect to the API server it will return a certificate signed by that root CA. If you don’t provide kubectl with the root certificate your client can’t verify the API server is legit
