8943e443e8
The KCM is moving to means of only singing apiserver (kubelet) client and kubelet serving certificates. See: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190607-certificates-api.md#signers Up until now the experimental kubeadm functionality '--use-api' under "kubeadm alpha certs renew" was using the KCM to sign *any* certficate as long as the KCM has the root CA cert/key. Post discussions with the kubeadm maintainers, it was decided that this functionality should be removed from kubeadm due to the requirement to have external signers for renewing the common control-plane certificates that kubeadm manages.