Hi Guys, I am really confused on setting up the CA and generating the certificat . . .

jitender chand:
Hi Guys,
I am really confused on setting up the CA and generating the certification for client and server. I came across one article where they state example how can we CURL kube api server by sending the certificate along with the API.

curl $KUBE_API/apis/apps/v1/deployments \
  --cacert ~/.minikube/ca.crt \
  --cert ~/.minikube/profiles/cluster1/client.crt \
  --key ~/.minikube/profiles/cluster1/client.key

What is confusing for me in above example that,

1. why we are sending the private key client.key of client along with the curl request. Wouldn’t that be a security risk

2. why we are sending ca.crt along with the API. what is role of this here. As per my understanding Kube API server already had access to ca.crt and ca.key in order to decode the client.crt
   My understand was, client.crt would be enough to get the result. since it was signed by Cluster CA. I am comparing it to how normal HTTPS would work in the browser. lets take a example of http://youtube.com|youtube.com.

3. First browser will validate the certification whether issued by Authorized company

4. Second browser will encrypt all outgoing information with this certification.
   Can someone please help me here to understand this?

R May:
Because Mutual TLS is established between client(curl) and kube-apiserver.
First the client receives kube-apiserver’s certificate and then validate it using “ca.crt”.
Then client sends his client.crt to the kube-apiserver.
Once the kube-apiserver validates client’s client.crt, both client and kube-apiserver create secret-sharing-key to communicate using client.key

jitender chand:
Thanks