New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPIRE install: Set CA name + disable kubelet validation by default #25160
Conversation
This sets a CN on the CA to be valid. It also disables the kubelet validation by default as this breaks many installations such as on kind. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
43ce94f
to
dbafe52
Compare
/test |
@@ -2669,7 +2669,7 @@ auth: | |||
# -- SPIRE agent labels | |||
labels: { } | |||
# -- SPIRE Workload Attestor kubelet verification. | |||
skipKubeletVerification: false | |||
skipKubeletVerification: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does worry me a little bit, in that we're already doing some funky stuff with attestation in having the Cilium agent have heaps of the process delegated to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That said, now I wrote that, maybe it is less of a problem because the kubelet is not actually involved in any attestation aside from the Cilium Agent and Operator getting their identities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My original approach is to go with secured sensible default values, and user can still change it via helm values based on k8s distro they are using (e.g. kind, minikube).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm changes are trivial.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment for changing default values of skipKubeletVerification, if this flag is not required, we can still ship it.
@@ -2703,7 +2703,7 @@ auth: | |||
subject: | |||
country: "US" | |||
organization: "SPIRE" | |||
commonName: "" | |||
commonName: "Cilium SPIRE CA" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I had this in the local temp value, but didn't pass the default value here.
@@ -2669,7 +2669,7 @@ auth: | |||
# -- SPIRE agent labels | |||
labels: { } | |||
# -- SPIRE Workload Attestor kubelet verification. | |||
skipKubeletVerification: false | |||
skipKubeletVerification: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My original approach is to go with secured sensible default values, and user can still change it via helm values based on k8s distro they are using (e.g. kind, minikube).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm changes LGTM besides the ongoing discussion about skipKubeletVerification
.
Made an issue to track this in: #25193 |
k8s-1.26-kernel-net-next hit #15455 |
This PR fixes two things to make the SPIRE installation that comes with Cilium friction less: