What would you like to be added
Add details about the CA certificate that a container (in a Pod) can use for API access, when that certificate might be missing from your Pod, and what to do if that occurs.
If available, a certificate bundle is placed into the filesystem tree of each container at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, and should be used to verify the serving certificate of the API server.
However, the page doesn't explain under what circumstances that file might not be present, nor what to do if you find that it isn't there.
Comments
/sig auth
Some more context: ClusterTrustBundles are an alpha feature that might help an API server publish a valid CA certificate for the hostname that clients are expected to use.
See KEP 3257 for more details.
This is a Feature Request
What would you like to be added Add details about the CA certificate that a container (in a Pod) can use for API access, when that certificate might be missing from your Pod, and what to do if that occurs.
Why is this needed Accessing the Kubernetes API from a Pod states:
However, the page doesn't explain under what circumstances that file might not be present, nor what to do if you find that it isn't there.
Comments /sig auth
Some more context: ClusterTrustBundles are an alpha feature that might help an API server publish a valid CA certificate for the hostname that clients are expected to use. See KEP 3257 for more details.