Make sure that Kubelet Certificate Rotation is enabled in v1.8 #386
Comments
luxas
added
area/security
kind/enhancement
priority/important-soon
|
Since this is part of the 1.8 milestone, going to note that this feature will not be turned on by default for the kubelet. kubernetes/kubernetes#51045 (comment) CSRs aren't properly garbage collected as of 1.8, so having the kubelets create some arbitrary number of CSRs on clusters that don't have an external controller to clean them up is problematic. Hoping to address this in 1.9. |
|
We're planning to enable it via the feature gate. I saw that CSRs aren't GC'd yet, but if I understood it correctly, the expiration time is one year, right? |
Feature gate is enabled by default. There was a new flag added as part of kubernetes/kubernetes#51045 This defaults to false because the actual CSR kubernetes resources in the certificates API are never removed, even if they're expired, denied, or even ignored for some period of time. |
|
@ericchiang Gotcha. Then we're planning to set |
|
Yep! |
|
Just to clarify because I wasn't familiar with the 1.8 behavior... CSRs aren't garbage collected in 1.8, but the default lifetime is 1 year and rotation only happens after between 70% (~8 months) and 90% (~10 months) of the lifetime of the certificate. So in the worst case a cluster of N nodes will accumulate N CSRs every 8.4 months or so. This means after 3 years you still only have around 4N CSRs. This is where the default certificate lifetime is set: This is where the 70%-90% calculation is done: |
Automatic merge from submit-queue (batch tested with PRs 52007, 52196, 52169, 52263, 52291) kubeadm: Enable certificate rotation **What this PR does / why we need it**: Enables cert rotation as planned for the v1.8 cycle in kubernetes/kubeadm#386 Can now be done as everything's in place in the code now that beta.1 is released with all the necessary features (Kubelet clientcert rotation now beta, woot!) **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # fixes: kubernetes/kubeadm#386 **Special notes for your reviewer**: This file does _ONLY_ affect the kubeadm e2e CI. What will actually end up in the debs/rpms is going into kubernetes/release right before v1.8 is released (due to how those scripts work, not optimal :/ ) **Release note**: ```release-note kubeadm: Enable kubelet client certificate rotation ``` @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-auth-pr-reviews
As kubernetes/enhancements#266 and kubernetes/enhancements#267 mature, we should enable them in the kubeadm-specific kubelet arg list (https://github.com/kubernetes/release/blob/master/debian/xenial/kubeadm/channel/stable/etc/systemd/system/kubelet.service.d/10-kubeadm.conf)
At least client cert rotation will be beta in v1.8. We should enable that behavior by default.
cc @kubernetes/sig-auth-feature-requests @jcbsmpsn
The text was updated successfully, but these errors were encountered: