- customer = a user other than a cluster operations agent
- cluster operations = collection of agents that are used to provide a viable cluster
Hostpath volume mounts are rarely needed by a customer pod. At the same time, kubelet needs read a certificate to authenticate against the cluster. We do not want someone to create a creative pod request that will map in /etc/kubernetes
and thus expose to the individual kubelet's certificate. If such occurred, the individual would be able to act as if it was kubelet, which includes reading of any secret stored in the cluster
It is not possible right now to pass in certificates as environmental variables to kubelet, so more could be done later to better secure kubelet's credentials