-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubelet Client TLS Certificate Rotation #266
Comments
@jcbsmpsn please, provide us with the design proposal link. |
@jcbsmpsn please, provide us with the design proposal link and docs PR link (and update the features tracking spreadsheet with it). |
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899) certificate manager: close existing client conns once cert rotates After the kubelet rotates its client cert, it will keep connections to the API server open indefinitely, causing it to use its old credentials instead of the new certs. Because the API server authenticates client certs at the time of the request, and not the handshake, this could cause the kubelet to start hitting auth failures even if it rotated its certificate to a new, valid one. When the kubelet rotates its cert, close down existing connections to force a new TLS handshake. Ref kubernetes/enhancements#266 Updates kubernetes-retired/bootkube#663 ```release-note After a kubelet rotates its client cert, it now closes its connections to the API server to force a handshake using the new cert. Previously, the kubelet could keep its existing connection open, even if the cert used for that connection was expired and rejected by the API server. ``` /cc @kubernetes/sig-auth-bugs /assign @jcbsmpsn @mikedanese
@jcbsmpsn Can you please update this feature's status for v1.8? |
@idvoretskyi Yep! Client certificate rotation will be beta in 1.8 and a release note has been added in the release note draft. |
@jcbsmpsn an addition to the docs for this feature would be very useful for users. Is it already documented? |
Related documentation updates: kubernetes/website#5639 |
Yes, this is planned to graduate in 1.19. The original design and feature pre-dated the KEP process, so #1756 has been opened to convert it to KEP format. |
/milestone v1.19 |
@liggitt -- Thank you for the update. I have updated the tracking sheet accordingly. 👍 |
Hi @liggitt 👋 1.19 docs shadow here! Does this enhancement work planned for 1.19 require new or modification to docs? Friendly reminder that if new/modification to docs are required, a placeholder PR against k/website (branch |
https://kubernetes.io/docs/tasks/tls/certificate-rotation/ would need updating to note the GA status and non-experimental signing duration flag. Placeholder open at kubernetes/website#21108 |
Thank you @liggitt , I will update the tracking sheet accordingly |
Hi @liggitt I see that kubernetes/kubernetes#91116 has merged already, if you have any other PRs, please link them to this issue so that we can track them. As a reminder Code Freeze is June 25th :) Thanks!! |
Hi @liggitt ! To follow-up on the email sent to k-dev today, I wanted to let you know that Code Freeze has been extended to Thursday, July 9th. You can see the revised schedule here: https://github.com/kubernetes/sig-release/tree/master/releases/release-1.19 We expect all PRs to be merged by that time. Please let me know if you have any questions. 😄 Best, |
Hi @liggitt, a friendly reminder of the next deadline coming up. |
Hi @liggitt , Is this enhancement now code complete? As a reminder Code Freeze is Thursday July 9th. Thanks! |
Yes |
Hi @liggitt, just a quick reminder to get your doc PR ready for review (Remove WIP/rebased/all ready to go) by EOD. Thank you! |
Doc PR is ready for review |
Hi @liggitt ! Since this KEP is GA in 1.19 can you please update the status to implemented so that we can close this issue? Thank you! |
KEP update in #1984 /close |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Enhancement Description
The text was updated successfully, but these errors were encountered: