- kube-controller-manager currently needs a writable `--cert-dir` (default is `/var/run/kubernetes`) for generating self-signed certificates, when no `--tls-cert-file` or `--tls-private-key-file` are provided.

- Kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by the etcd CA. Additionally, make sure that the CA for all entries in the output table is included - for both certificates on disk and in kubeconfig files. ([#106926](https://github.com/kubernetes/kubernetes/pull/106926), [@neolit123](https://gi...

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120765](https://github.com/kubernetes/kubernetes/pull/120765), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120768](https://github.com/kubernetes/kubernetes/pull/120768), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]

  - The requested name does not match the set of authorized names (x509.HostnameError)
  - The error surfaced after attempting a connection contains one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority" ([#120766](https://github.com/kubernetes/kubernetes/pull/120766), [@MadhavJivrajani](https://github.com/MadhavJivrajani)) [SIG Architecture and Cloud Provider]

0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14}, } // SignPKCS1v15 calculates an RSASSA-PKCS1-v1.5 signature. // // hash is the name of the hash function as returned by [crypto.Hash.String] // or the empty string to indicate that the message is signed directly. func SignPKCS1v15(priv *PrivateKey, hash string, hashed []byte) ([]byte, error) { fipsSelfTest() fips140.RecordApproved() checkApprovedHashNam(hash) return signPKCS1v15(priv, hash, hashed) } func signPKCS1v15(priv *PrivateKey, hash string,...

0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14}, } // SignPKCS1v15 calculates an RSASSA-PKCS1-v1.5 signature. // // hash is the name of the hash function as returned by [crypto.Hash.String] // or the empty string to indicate that the message is signed directly. func SignPKCS1v15(priv *PrivateKey, hash string, hashed []byte) ([]byte, error) { fipsSelfTest() fips140.RecordApproved() checkApprovedHashNam(hash) return signPKCS1v15(priv, hash, hashed) } func signPKCS1v15(priv *PrivateKey, hash string,...