Network Connectivity and TLS

A default kubeadm cluster generates over 20 certificate files before a single pod runs. The API server, etcd, kubelet, controller-manager, scheduler: every component-to-component connection uses TLS. "TLS everywhere" is the baseline, not a feature.

But knowing that TLS exists tells you nothing useful on its own. Which certificates protect which connections? Where does encryption start and stop? What happens to traffic after it passes through your Ingress controller? This article breaks down the layered encryption model: the cluster PKI and its three CAs, API server TLS configuration, kubelet certificate bootstrapping, Ingress TLS termination at the edge, and CNI-level transparent encryption for pod-to-pod traffic.