kubelet-rubber-stamp is simple CSR auto approver operator to help bootstrapping kubelet serving certificates easily.
The logic used follows the same logic used when auto-approving kubelet client certificates in kubelet TLS bootstrap phase.
So basically the flow is:
- kubelet gets the client cert (see TLS bootstrap)
- Kubelet creates a CSR
- kubelet-rubber-stamp reacts to the creation of a CSR
- validates that it's a valid request for kubelet serving certificate
- validates that the requestor (the kubelet/node) has sufficient authorization
- approve the CSR
- Kubelet fetches the certificate
- Kubelet auto-rotates certs, goto 2 :)
Bug reports and pull requests are welcome on GitHub at https://github.com/kontena/kubelet-rubber-stamp
Copyright (c) 2019 Kontena, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.