Why do we need client tls certificate for api-server to or kube-proxy etc, why can they use server certificates of component they are contacting to lets say etcd. The same happens in case of tls handshake when we request a site on browser.
The big difference is that when you go to regular web site, the server does not care who you are exactly; it will accept anybody. But if you want to get data from the API server, the server needs to know who you are, so it can decide what rights you should have (if any) on that K8s cluster.
You use the TLS certificate (and the key) to identify yourself as a particular user.
1 Like
got it kubernetes practise mtls rather than traditional tls handshake