Kubernetes - kubelet

Last Updated: 2024-03-03

kubelet files:


kubelet.conf has this

  - name: default-auth
      client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
      client-key: /var/lib/kubelet/pki/kubelet-client-current.pem

/var/lib/kubelet/pki/kubelet-client-current.pem is used when talking to the api server. The cert has Subject: O = system:nodes, CN = system:node:<node_name>

kubelet is deployed as a systemd service; check status: $ systemctl status kubelet.

kubelet needs a kubeconfig to authenticate itself to the API server.

kubelet talks to containerd through a unix socket: unix:///run/containerd/containerd.sock.


  • if you start kubelet with --register-node=false, you need to manually create Node object; if true it will create Node object on the api server.
  • if set the kubelet --authorization-mode flag to Webhook, it will use the SubjectAccessReview API to determine authorization.
  • --network-plugin=cni: enables CNI (Container Network Interface).

kubelet service

This configuration file installed by the kubeadm package is written to /etc/systemd/system/kubelet.service.d/10-kubeadm.conf and is used by systemd.

Input for kubelet

The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object that describes a pod.


The kubelet calls the TokenReview API on the configured API server to determine user information from bearer tokens.