This knowledge base article addresses concerns regarding the cluster-auth-pinniped-kube-cert-agent deployment, specifically its configuration with a single replica on a control plane node, which has raised questions about redundancy.

The cluster-auth-pinniped-kube-cert-agent deployment on managed clusters is created and managed by a controller within the Pinniped Concierge pod. The kube-cert-agent pod does not serve network traffic and is not designed to scale with the cluster size or workload activity. Its function requires it to be assigned to a control plane node to observe Kubernetes signing keys, which are essential for user authentication to the Kubernetes instance. This behavior is an inherent part of the open-source Pinniped project.

Broadcom engineering team has clarified that this configuration is expected behavior for the cluster-auth-pinniped-kube-cert-agent deployment. Further details on Pinniped's behavior can be found in the Pinniped documentation.