Kubelet Server TLS Certificate Rotation #267
Comments
|
I'm assuming this encompasses initial bootstrapping of the serving cert too? |
|
Yes, initial bootstrapping of the server cert will be covered by this. Would you like a separate one, or just checking that feature wasn't lost in the shuffle? |
|
Just checking, thanks. |
idvoretskyi
added
sig/auth
|
@jcbsmpsn please, provide us with the design proposal link |
idvoretskyi
added
the
help wanted
|
Design proposal: kubernetes/community#602 |
|
@jcbsmpsn updated the feature description with the link, thanks. |
idvoretskyi
removed
the
help wanted
jcbsmpsn
changed the title
|
Going to merge this into #266 |
|
Actually, I wouldn't. There's more work to do here with determining which SANs a node is allowed to serve. |
|
@jcbsmpsn |
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
|
@apsinha Some documentation for this is included in kubernetes/website#4208 |
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
|
@jcbsmpsn Can you please update this feature's status for v1.8? |
mikedanese
added
the
lifecycle/frozen
|
Discussed in sig-auth on 2022-12-07 - https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit#bookmark=id.52okchz28cmr
|
|
capturing current state in a retroactive KEP, ensuring test coverage exists, and marking as GA in 1.27 seems achievable |
|
work to capture this in a retroactive KEP for 1.27 got preempted by #3744 |
I looked at work needed to GA. Retrospective KEP: #3806 Couple things stand out:
Depending on the bar we want to use here, we may get it for 1.27. If not, I'd suggest we at least promote metrics to BETA in 1.27 |
|
We should document this - or commit resources to doing that documentation work - before we make it GA. Doing so helps but does not fully close kubernetes/website#30575 (which happens to be the oldest open issue against k/website). We do have https://kubernetes.io/docs/tasks/tls/certificate-rotation/ but it's pretty short, looks inaccurate, and doesn't cover the process clearly enough. Imagine that you're studying for the CKS and you're relying on the open source materials only; do you think the explanation covers what you need to learn? |
Atharva-Shinde
removed
the
tracked/no
|
Is SIG-Node interested in bringing this to GA in an upcoming cycle? Was any progress made on graduating metrics? @SergeyKanzhelev |
Metrics are not supporting beta. At least they were not when I checked. And making metrics Stable needs to be done with GA-ing of this feature |
|
@kannon92 expressed interest moving this forward. |
|
/assign |
It's supported now: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/component-base/metrics/opts.go#L80-L82. The guidance for |
|
@logicalhan I opened up kubernetes/kubernetes#122834 to promote these metrics to beta. Not entirely sure if this has to be done before/after the retrospective KEP. |
|
/cc @tallclair |
|
/stage stable |
k8s-ci-robot
removed
the
stage/beta
k8s-ci-robot
added
the
stage/stable
Just to be clear, I took this KEP to sig-auth and I don't think there was any commitment from sig-auth to include this for 1.30. My hope is to get the retrospective KEP approved and maybe promote some metrics to beta in 1.30. I still need to find someone who can help with some historical context on this KEP as I am afraid I don't have that. |
|
/milestone clear |
and others
Feature Description
One-line feature description (can be used as a release note):
Rotation of the server TLS certificate on the kubelet.
Primary contact (assignee):
@mikedanese @liggitt
Responsible SIGs:
sig-auth
Design proposal link (community repo): Kubelet server certificate bootstrap and rotation community#602
Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
@mikedanese @awly
Approver (likely from SIG/area to which feature belongs):
@tallclair
Initial target stage (alpha/beta/stable) and release (x.y):
The text was updated successfully, but these errors were encountered: