Cluster certificates and configuration directories

This reference page provides an overview of certificate authorities (CAs), certificates and configuration directories in use by a Canonical Kubernetes cluster.

Certificate Authorities (CAs)

This table outlines the common certificate authorities (CAs) used in a Kubernetes environment, detailing their specific purposes, usage, and locations on the disk.

Common Name

Purpose

File Location

Primary Function

kubernetes-ca

General Kubernetes CA

/etc/kubernetes/pki/ca.crt

Signing all Kubernetes-related certificates

kubernetes-front-proxy-ca

CA for front-end proxy

/etc/kubernetes/pki/front-proxy-ca.crt

Signing certificates for the front-proxy

client-ca

CA for client certificates

/etc/kubernetes/pki/client-ca.crt

Signing certificates for the client

Certificates

This table provides an overview of the certificates currently in use, including their roles, storage paths, and the entities responsible for their issuance.

Common Name

Purpose

File Location

Primary Function

Signed By

kube-apiserver

Server

/etc/kubernetes/pki/apiserver.crt

Securing the API server endpoint

kubernetes-ca

apiserver-kubelet-client

Client

/etc/kubernetes/pki/apiserver-kubelet-client.crt

API server communication with kubelet

kubernetes-ca-client

kube-apiserver-etcd-client

Client

/etc/kubernetes/pki/apiserver-etcd-client.crt

API server communication with etcd

kubernetes-ca-client

front-proxy-client

Client

/etc/kubernetes/pki/front-proxy-client.crt

API server communication with the front-proxy

kubernetes-front-proxy-ca

system:kube-controller-manager

Client

/etc/kubernetes/pki/controller-manager.crt

Communication between the controller manager and the API server

kubernetes-ca-client

system:kube-scheduler

Client

/etc/kubernetes/pki/scheduler.crt

Communication between the scheduler and the API server

kubernetes-ca-client

system:kube-proxy

Client

/etc/kubernetes/pki/proxy.crt

Communication between kube-proxy and the API server

kubernetes-ca-client

system:node:$hostname

Client

/etc/kubernetes/pki/kubelet-client.crt

Authentication of kubelet to the API server

kubernetes-ca-client

k8s-dqlite

Client

/var/snap/k8s/common/var/lib/k8s-dqlite/cluster.crt

Communication between k8s-dqlite nodes and API server

self-signed

root@$hostname

Client

/var/snap/k8s/common/var/lib/k8s-dqlite/cluster.crt

Communication between k8sd nodes

self-signed

Configuration files for Kubernetes components

The following tables provide an overview of the configuration files used to communicate with the cluster services.

Control-plane node

Control-plane nodes use the following configuration files.

Configuration File

Purpose

File Location

Primary Function

admin.conf

Administrator Client Config

/etc/kubernetes/admin.conf

Admin access to the cluster

controller-manager.conf

Controller Manager Client Config

/etc/kubernetes/controller-manager.conf

Communication with the API server

scheduler.conf

Scheduler Client Config

/etc/kubernetes/scheduler.conf

Communication with the API server

kubelet.conf

Kubelet Client Config

/etc/kubernetes/kubelet.conf

Node registration and communication with API server

proxy.conf

Proxy Client Config

/etc/kubernetes/proxy.conf

Communication with the API server

Worker node

Worker nodes use the following configuration files.

Configuration File

Purpose

File Location

Primary Function

proxy.conf

Proxy Client Config

/etc/kubernetes/proxy.conf

Communication with the API server

kubelet.conf

Kubelet Client Config

/etc/kubernetes/kubelet.conf

Node registration and communication with API server