Improve docs about Kubernetes API access CA and using it from a Pod

[sftim]

This is a Feature Request

What would you like to be added Add details about the CA certificate that a container (in a Pod) can use for API access, when that certificate might be missing from your Pod, and what to do if that occurs.

Why is this needed Accessing the Kubernetes API from a Pod states:

If available, a certificate bundle is placed into the filesystem tree of each container at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, and should be used to verify the serving certificate of the API server.

However, the page doesn't explain under what circumstances that file might not be present, nor what to do if you find that it isn't there.

Comments /sig auth

Some more context: ClusterTrustBundles are an alpha feature that might help an API server publish a valid CA certificate for the hostname that clients are expected to use. See KEP 3257 for more details.

[stlaz]

/triage accepted

[Shubham82]

/lifecycle frozen