-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubelet Server TLS Certificate Rotation #267
Comments
I'm assuming this encompasses initial bootstrapping of the serving cert too? |
Yes, initial bootstrapping of the server cert will be covered by this. Would you like a separate one, or just checking that feature wasn't lost in the shuffle? |
Just checking, thanks. |
@jcbsmpsn please, provide us with the design proposal link |
Design proposal: kubernetes/community#602 |
@jcbsmpsn updated the feature description with the link, thanks. |
Going to merge this into #266 |
Actually, I wouldn't. There's more work to do here with determining which SANs a node is allowed to serve. |
@jcbsmpsn |
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
@apsinha Some documentation for this is included in kubernetes/website#4208 |
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
@jcbsmpsn Can you please update this feature's status for v1.8? |
work to capture this in a retroactive KEP for 1.27 got preempted by #3744 |
I looked at work needed to GA. Retrospective KEP: #3806 Couple things stand out:
Depending on the bar we want to use here, we may get it for 1.27. If not, I'd suggest we at least promote metrics to BETA in 1.27 |
We should document this - or commit resources to doing that documentation work - before we make it GA. Doing so helps but does not fully close kubernetes/website#30575 (which happens to be the oldest open issue against k/website). We do have https://kubernetes.io/docs/tasks/tls/certificate-rotation/ but it's pretty short, looks inaccurate, and doesn't cover the process clearly enough. Imagine that you're studying for the CKS and you're relying on the open source materials only; do you think the explanation covers what you need to learn? |
Is SIG-Node interested in bringing this to GA in an upcoming cycle? Was any progress made on graduating metrics? @SergeyKanzhelev |
Metrics are not supporting beta. At least they were not when I checked. And making metrics Stable needs to be done with GA-ing of this feature |
@kannon92 expressed interest moving this forward. |
/assign |
It's supported now: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/component-base/metrics/opts.go#L80-L82. The guidance for |
@logicalhan I opened up kubernetes/kubernetes#122834 to promote these metrics to beta. Not entirely sure if this has to be done before/after the retrospective KEP. |
/cc @tallclair |
/stage stable |
Just to be clear, I took this KEP to sig-auth and I don't think there was any commitment from sig-auth to include this for 1.30. My hope is to get the retrospective KEP approved and maybe promote some metrics to beta in 1.30. I still need to find someone who can help with some historical context on this KEP as I am afraid I don't have that. |
/milestone clear |
/assign @aojea let's try to move this to GA this cycle |
Feature Description
One-line feature description (can be used as a release note):
Rotation of the server TLS certificate on the kubelet.
Primary contact (assignee):
@mikedanese @liggitt
Responsible SIGs:
sig-auth
Design proposal link (community repo): Kubelet server certificate bootstrap and rotation community#602
Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
@mikedanese @awly
Approver (likely from SIG/area to which feature belongs):
@liggitt
Initial target stage (alpha/beta/stable) and release (x.y):
The text was updated successfully, but these errors were encountered: