Information required related to service kubernetes

Solution 1:

My question is that if a client let's say kubectl has to access a cluster for various get/delete/edit operations

2)And if kubelet needs to talk to API endpoint

Correct, those two interactions are solving the same problem: how does a process that is external to the kubernetes cluster reach the control-plane. One could imagine that it would be restricted to (for example) just the corporate VPN for kubectl operations, or just the worker subnets for kubelet.

kubelet actually doesn't need to use the NLB (meaning traffic going out of the VPC through any Nat GW/Internet GW to the NLB and back into the VPC), it is perfectly safe and effective to point kubelet's configuration at the "internal" side of that NLB, so long as the control-plane certificates have sufficient Subject Alternative Name entries to satisfy the TLS handshake. That's usually why people don't bother distinguishing those two cases, but if it is a security (or cost!) concern for your organization, it's 100% possible to split those two interactions

Which API uses this service?

The CNI Service points at the same control-plane but that traffic travels within the cluster, and that kubernetes.default.svc.cluster.local Service is available to all Namespaces all the time, and is how any in-Pod kubernetes client uses the built-in ServiceAccount token to reach the kubernetes API. That way, anything running inside the cluster does not need to have any configuration whatsoever in order to reach the API -- including Internet access -- because that in-cluster traffic does not leave the CNI network