I was going through Control Plane Security in Google cloud(GKE) course and referring to 'certificate authority and cluster trust' in the link below and have these questions. Can someone clarify these ?.
https://cloud.google.com/kubernetes-engine/docs/concepts/control-plane-security
Thanks in advance...
1.- That's correct. There is one certificate for masters and nodes components, and another one for etcd. This article explains is better. Note that it's a GKE approach, not Kubernetes.
2.- The article I passed also explains this second points. Indeed there are two CAs. I quote "In GKE, the master API certificate is signed by the cluster root CA. Each cluster runs its own CA, so that if one cluster's CA were to be compromised, no other cluster CA would be affected".