• https://kubernetes.io/docs/setup/best-practices/certificates/
• https://gist.github.com/detiber/81b515df272f5911959e81e39137a8bb

How certificates are used by your cluster

Kubernetes requires PKI for the following operations:

• Client certificates for the kubelet to authenticate to the API server
• Server certificate for the API server endpoint
• Client certificates for administrators of the cluster to authenticate to the API server
• Client certificates for the API server to talk to the kubelets
• Client certificate for the API server to talk to etcd
• Client certificate/kubeconfig for the controller manager to talk to the API server
• Client certificate/kubeconfig for the scheduler to talk to the API server.
• Client and server certificates for the front-proxy

Note: front-proxy certificates are required only if you run kube-proxy to support an extension API server. etcd also implements mutual TLS to authenticate clients and peers.

The API server’s TLS certificate (and certificate authority)

• --tls-cert-file string

   File containing the default x509 Certificate for HTTPS. (CA cert, if any,
   concatenated after server cert). If HTTPS serving is enabled, and
   --tls-cert-file and --tls-private-key-file are not provided, a self-signed
   certificate and key are generated for the public address and saved to
   /var/run/kubernetes.

• --tls-private-key-filestring

   File containing the default x509 private key matching --tls-cert-file.