Kubelet server certificates

Hello everyone,
Im failing to understand how the kubelet certificates work: In a kubeadm-deployed cluster, the kubelet has a certificate and key under /var/lib/kubelet/pki named ‘kubelet.crt’ and ‘kubelet.key’ respectively. I see no reference for these in the kubelet service nor in the kubelet configuration file.
Also the certificate in question is also signed by an authority named ‘worker-0-ca@1602432398’ (for the this kubelet in a worker node). Shouldn’t the the certificates for the kubelet server be signed by the same authority as the apiserver-kubelet client (a.k.a issuer CN=kubernetes)?

there is no use of --cert-dir, --tls-cert-file and --tls-private-key-file when launching the kubelet server.

Where are the certificates for the kubelet server are served from and who handles their renewal?