It depends on two things: your CA and the content of auth.conf. If you have
one CA signing all your certificates, then every host can validate the cert
on every master. If that's the case, then any host with the correct
permissions in auth.conf can issue the puppet kick command. If you have
diff
Posting here as well as on the developers group (they suggested that I
repost here).
How does puppet kick work in a scenario where a puppet master is
managing puppet masters who manage puppet masters who manage agents?
Do I have to kick from the immediate Master of the agent I want to
kick? Do I
