PKI and Certificate Management

A Kubernetes cluster generates over 20 certificate and key files during bootstrap. Three separate certificate authorities, dozens of client and server certificates, a service account key pair. Most operators never look at these files until something expires at 2 AM and the API server stops responding.

PKI is the invisible foundation of Kubernetes security. Every component-to-component connection relies on TLS certificates signed by cluster-internal CAs. The kubelet authenticates to the API server with a client cert. etcd encrypts peer traffic with its own CA. The API server presents a server cert to every kubectl command you run. For the KCSA exam (Platform Security, 16%), you need to understand how this certificate infrastructure works, why it's structured the way it is, and what happens when it breaks.