Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubelet Client TLS Certificate Rotation #266

Closed
jcbsmpsn opened this issue Apr 24, 2017 · 44 comments
Closed

Kubelet Client TLS Certificate Rotation #266

jcbsmpsn opened this issue Apr 24, 2017 · 44 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/beta Denotes an issue tracking an enhancement targeted for Beta status stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status

Comments

@jcbsmpsn
Copy link
Contributor

jcbsmpsn commented Apr 24, 2017

Enhancement Description

@idvoretskyi idvoretskyi added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status labels May 3, 2017
@idvoretskyi idvoretskyi added this to the v1.7 milestone May 3, 2017
@idvoretskyi
Copy link
Member

idvoretskyi commented May 3, 2017

@jcbsmpsn please, provide us with the design proposal link.

@idvoretskyi idvoretskyi added this to Action required in Kubernetes 1.7 features May 3, 2017
@jcbsmpsn jcbsmpsn changed the title Client TLS Certificate Rotation Kubelet Client TLS Certificate Rotation Jun 5, 2017
@idvoretskyi
Copy link
Member

idvoretskyi commented Jun 16, 2017

@jcbsmpsn please, provide us with the design proposal link and docs PR link (and update the features tracking spreadsheet with it).
/cc @kubernetes/sig-auth-feature-requests @timstclair

@ericchiang ericchiang changed the title Kubelet Client TLS Certificate Rotation Kubelet TLS Certificate Rotation Jun 22, 2017
@ericchiang ericchiang changed the title Kubelet TLS Certificate Rotation Kubelet Client TLS Certificate Rotation Jun 22, 2017
ericchiang added a commit to ericchiang/website that referenced this issue Jun 27, 2017
This includes documenting the new CSR approver built into the
controller manager and the kubelet alpha features for certifiate
rotation.

ref:

- kubernetes/kubernetes#45030
- kubernetes/enhancements#266
- kubernetes/enhancements#267
ericchiang added a commit to ericchiang/website that referenced this issue Jun 27, 2017
This includes documenting the new CSR approver built into the
controller manager and the kubelet alpha features for certifiate
rotation.

Since the CSR approver changed over the 1.7 release cycle we need
to call out the migration steps for those using the alpha feature.
This document as a whole could probably use some updates, but the
main focus of this PR is just to get these features minimally
documented before the release.

ref:

- kubernetes/kubernetes#45030
- kubernetes/enhancements#266
- kubernetes/enhancements#267
ericchiang added a commit to ericchiang/website that referenced this issue Jun 27, 2017
This includes documenting the new CSR approver built into the
controller manager and the kubelet alpha features for certificate
rotation.

Since the CSR approver changed over the 1.7 release cycle we need
to call out the migration steps for those using the alpha feature.
This document as a whole could probably use some updates, but the
main focus of this PR is just to get these features minimally
documented before the release.

ref:

- kubernetes/kubernetes#45030
- kubernetes/enhancements#266
- kubernetes/enhancements#267
ericchiang added a commit to ericchiang/website that referenced this issue Jun 27, 2017
This includes documenting the new CSR approver built into the
controller manager and the kubelet alpha features for certificate
rotation.

Since the CSR approver changed over the 1.7 release cycle we need
to call out the migration steps for those using the alpha feature.
This document as a whole could probably use some updates, but the
main focus of this PR is just to get these features minimally
documented before the release.

ref:

- kubernetes/kubernetes#45030
- kubernetes/enhancements#266
- kubernetes/enhancements#267
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Aug 3, 2017
Automatic merge from submit-queue (batch tested with PRs 49237, 49656, 49980, 49841, 49899)

certificate manager: close existing client conns once cert rotates

After the kubelet rotates its client cert, it will keep connections to the API server open indefinitely, causing it to use its old credentials instead of the new certs. Because the API server authenticates client certs at the time of the request, and not the handshake, this could cause the kubelet to start hitting auth failures even if it rotated its certificate to a new, valid one.
    
When the kubelet rotates its cert, close down existing connections to force a new TLS handshake.

Ref kubernetes/enhancements#266
Updates kubernetes-retired/bootkube#663

```release-note
After a kubelet rotates its client cert, it now closes its connections to the API server to force a handshake using the new cert. Previously, the kubelet could keep its existing connection open, even if the cert used for that connection was expired and rejected by the API server.
```

/cc @kubernetes/sig-auth-bugs 
/assign @jcbsmpsn @mikedanese
@luxas
Copy link
Member

luxas commented Aug 14, 2017

@jcbsmpsn Can you please update this feature's status for v1.8?
AFAIK, beta is targeted, right?

@luxas luxas modified the milestones: 1.8, 1.7 Aug 14, 2017
@luxas luxas added stage/beta Denotes an issue tracking an enhancement targeted for Beta status and removed stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status labels Aug 14, 2017
@idvoretskyi
Copy link
Member

idvoretskyi commented Sep 12, 2017

@jcbsmpsn @kubernetes/sig-auth-feature-requests @luxas can you confirm that this feature is still on track for 1.8?

@ericchiang
Copy link
Member

ericchiang commented Sep 12, 2017

@idvoretskyi Yep! Client certificate rotation will be beta in 1.8 and a release note has been added in the release note draft.

@apsinha
Copy link

apsinha commented Sep 25, 2017

@jcbsmpsn an addition to the docs for this feature would be very useful for users. Is it already documented?

@jcbsmpsn
Copy link
Contributor Author

jcbsmpsn commented Sep 26, 2017

Related documentation updates: kubernetes/website#5639

@liggitt liggitt moved this from In progress to GA-blocking features in SIG-Auth: CertificateSigningRequests May 6, 2020
@liggitt
Copy link
Member

liggitt commented May 8, 2020

Yes, this is planned to graduate in 1.19.

The original design and feature pre-dated the KEP process, so #1756 has been opened to convert it to KEP format.

@liggitt liggitt moved this from GA-blocking features to Tracking issues in SIG-Auth: CertificateSigningRequests May 8, 2020
@kikisdeliveryservice kikisdeliveryservice added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 11, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented May 11, 2020

/milestone v1.19

@liggitt
Copy link
Member

liggitt commented May 15, 2020

KEP format merged at https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/266-kubelet-client-certificate-bootstrap-rotation

@palnabarun
Copy link
Member

palnabarun commented May 18, 2020

@liggitt -- Thank you for the update. I have updated the tracking sheet accordingly. 👍

@annajung
Copy link
Member

annajung commented May 20, 2020

Hi @liggitt 👋 1.19 docs shadow here! Does this enhancement work planned for 1.19 require new or modification to docs?

Friendly reminder that if new/modification to docs are required, a placeholder PR against k/website (branch dev-1.19) are needed by Friday, June 12.

@liggitt
Copy link
Member

liggitt commented May 21, 2020

https://kubernetes.io/docs/tasks/tls/certificate-rotation/ would need updating to note the GA status and non-experimental signing duration flag. Placeholder open at kubernetes/website#21108

@annajung
Copy link
Member

annajung commented May 21, 2020

Thank you @liggitt , I will update the tracking sheet accordingly

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented May 28, 2020

Hi @liggitt

I see that kubernetes/kubernetes#91116 has merged already, if you have any other PRs, please link them to this issue so that we can track them. As a reminder Code Freeze is June 25th :)

Thanks!!

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Jun 15, 2020

Hi @liggitt !

To follow-up on the email sent to k-dev today, I wanted to let you know that Code Freeze has been extended to Thursday, July 9th. You can see the revised schedule here: https://github.com/kubernetes/sig-release/tree/master/releases/release-1.19

We expect all PRs to be merged by that time. Please let me know if you have any questions. 😄

Best,
Kirsten

@annajung
Copy link
Member

annajung commented Jun 22, 2020

Hi @liggitt, a friendly reminder of the next deadline coming up.
Please remember to populate your placeholder doc PR and get it ready for review by Monday, July 6th.

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Jul 1, 2020

Hi @liggitt ,

Is this enhancement now code complete? As a reminder Code Freeze is Thursday July 9th.

Thanks!

@liggitt
Copy link
Member

liggitt commented Jul 1, 2020

Yes

@annajung
Copy link
Member

annajung commented Jul 6, 2020

Hi @liggitt, just a quick reminder to get your doc PR ready for review (Remove WIP/rebased/all ready to go) by EOD. Thank you!

@liggitt
Copy link
Member

liggitt commented Jul 6, 2020

Doc PR is ready for review

@kikisdeliveryservice kikisdeliveryservice added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Sep 11, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 11, 2020

Hi @liggitt !

Since this KEP is GA in 1.19 can you please update the status to implemented so that we can close this issue?

Thank you!
Kirsten

@liggitt
Copy link
Member

liggitt commented Sep 14, 2020

KEP update in #1984

/close

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Sep 14, 2020

@liggitt: Closing this issue.

In response to this:

KEP update in #1984

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kikisdeliveryservice kikisdeliveryservice removed this from the v1.19 milestone Sep 14, 2020
@liggitt liggitt moved this from Tracking issues / designs to 1.19 - Done in SIG-Auth: CertificateSigningRequests Jan 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/beta Denotes an issue tracking an enhancement targeted for Beta status stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
Development

No branches or pull requests