New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubelet TLS Bootstrap #43

Open
philips opened this Issue Jul 22, 2016 · 68 comments

Comments

@philips
Contributor

philips commented Jul 22, 2016

Feature Description

  • One-line feature description (can be used as a release note): kubelet generates a private key and a CSR for submission to a cluster-level certificate signing process.
  • Primary contact (assignee): @mikedanese
  • Responsible SIGs: sig-auth
  • Design proposal link (community repo): https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/kubelet-tls-bootstrap.md
  • Link to e2e and/or unit tests:
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @liggitt
  • Approver (likely from SIG/area to which feature belongs): @liggitt
  • Feature target (which target equals to which milestone):
    • Alpha release target (1.4)
    • Beta release target (1.6)
    • Stable release target (1.12)
@philips

This comment has been minimized.

Show comment
Hide comment
@philips

philips Jul 22, 2016

Contributor

cc @kubernetes/sig-node FYI about this feature for Kubelet TLS bootstrap

Contributor

philips commented Jul 22, 2016

cc @kubernetes/sig-node FYI about this feature for Kubelet TLS bootstrap

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Jul 22, 2016

Member

I think we should consider this pre-alpha until we complete:

  • kubectl integration
  • kubelet integration
  • e2e testing

Is anyone currently working on this?

Member

mikedanese commented Jul 22, 2016

I think we should consider this pre-alpha until we complete:

  • kubectl integration
  • kubelet integration
  • e2e testing

Is anyone currently working on this?

@philips

This comment has been minimized.

Show comment
Hide comment
@philips

philips Jul 22, 2016

Contributor

@mikedanese @gtank should be working on all of those things to get the feature done done.

Contributor

philips commented Jul 22, 2016

@mikedanese @gtank should be working on all of those things to get the feature done done.

@philips philips added this to the v1.4 milestone Jul 23, 2016

@gtank

This comment has been minimized.

Show comment
Hide comment
@gtank

gtank Jul 26, 2016

Current status of what needs to be done:

  1. kubelet needs to use the Certificates API. This will involve one new flag, provisionally --bootstrap-auth-token which will take a long random string. The kubelet uses this token to authenticate its requests to the Certificates API. Cluster-level access control should ensure that it can only be used for certificates requests. When this token exists, if the kubelet can't find TLS assets locally it will generate a fresh keypair and a Certificate Signing Request (CSR) to submit to the API. It will then watch the CSR object for the appearance of an issued certificate before proceeding with registration. It will use the certificate for client cert auth in subsequent API requests.
  2. kubectl needs to fully support CSR objects. This is currently blocked on a problem with the swagger generation and base64-encoded []byte fields. We also need to document the best way of handling the manual approval flow.
  3. Still need to write tests and update all the docs.

gtank commented Jul 26, 2016

Current status of what needs to be done:

  1. kubelet needs to use the Certificates API. This will involve one new flag, provisionally --bootstrap-auth-token which will take a long random string. The kubelet uses this token to authenticate its requests to the Certificates API. Cluster-level access control should ensure that it can only be used for certificates requests. When this token exists, if the kubelet can't find TLS assets locally it will generate a fresh keypair and a Certificate Signing Request (CSR) to submit to the API. It will then watch the CSR object for the appearance of an issued certificate before proceeding with registration. It will use the certificate for client cert auth in subsequent API requests.
  2. kubectl needs to fully support CSR objects. This is currently blocked on a problem with the swagger generation and base64-encoded []byte fields. We also need to document the best way of handling the manual approval flow.
  3. Still need to write tests and update all the docs.
@philips

This comment has been minimized.

Show comment
Hide comment
@philips

philips Aug 5, 2016

Contributor

Status update:

PR for kubelet TLS bootstrap is up: kubernetes/kubernetes#30094

Contributor

philips commented Aug 5, 2016

Status update:

PR for kubelet TLS bootstrap is up: kubernetes/kubernetes#30094

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Aug 5, 2016

Member

Kubectl support tracked in kubernetes/kubernetes#30163 with some basic support prs out

Member

mikedanese commented Aug 5, 2016

Kubectl support tracked in kubernetes/kubernetes#30163 with some basic support prs out

@gtank

This comment has been minimized.

Show comment
Hide comment
@gtank

gtank Aug 8, 2016

Status update for TLS work:

In flight:

Issues:

Merged:

gtank commented Aug 8, 2016

Status update for TLS work:

In flight:

Issues:

Merged:

@liggitt

This comment has been minimized.

Show comment
Hide comment
@liggitt

liggitt Aug 9, 2016

Member

It will use the certificate for client cert auth in subsequent API requests.

The scope of kubernetes/kubernetes#20439 was around obtaining TLS serving certs. The kubelet's use of this API should probably be limited to obtaining serving certs initially. Since the kubelet already needs API credentials to submit the initial CSR, obtaining client credentials this way doesn't buy us a whole lot from a bootstrapping perspective.

Member

liggitt commented Aug 9, 2016

It will use the certificate for client cert auth in subsequent API requests.

The scope of kubernetes/kubernetes#20439 was around obtaining TLS serving certs. The kubelet's use of this API should probably be limited to obtaining serving certs initially. Since the kubelet already needs API credentials to submit the initial CSR, obtaining client credentials this way doesn't buy us a whole lot from a bootstrapping perspective.

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Aug 9, 2016

Member

It allows us to bootstrap individual kubelet identities from a single cluster wide shared secret (bearer token for a kubelet-bootstrap user authorized to submit CSRs).

Member

mikedanese commented Aug 9, 2016

It allows us to bootstrap individual kubelet identities from a single cluster wide shared secret (bearer token for a kubelet-bootstrap user authorized to submit CSRs).

@liggitt

This comment has been minimized.

Show comment
Hide comment
@liggitt

liggitt Aug 9, 2016

Member

If the goal is to identify kubelets individually so we can partition node permissions (which I am in favor of), multiple identities obtained from a single shared credential aren't meaningful from an auth perspective.

If we just want to identify requests from different nodes for debugging purposes, we can do that with user-agent strings (the same way controllers set up their own client user-agent string)

Member

liggitt commented Aug 9, 2016

If the goal is to identify kubelets individually so we can partition node permissions (which I am in favor of), multiple identities obtained from a single shared credential aren't meaningful from an auth perspective.

If we just want to identify requests from different nodes for debugging purposes, we can do that with user-agent strings (the same way controllers set up their own client user-agent string)

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Aug 9, 2016

Member

multiple identities obtained from a single shared credential

I'm not convinced of this. In fact I think this would work equally well if the CSR API was open (didn't require auth[n/z]). The shared secret is a mechanism that prevents a specific dos attack where a user could spam the CSR API with CSRs that would not be approved. @gtank can you weigh in on this?

Member

mikedanese commented Aug 9, 2016

multiple identities obtained from a single shared credential

I'm not convinced of this. In fact I think this would work equally well if the CSR API was open (didn't require auth[n/z]). The shared secret is a mechanism that prevents a specific dos attack where a user could spam the CSR API with CSRs that would not be approved. @gtank can you weigh in on this?

@bgrant0607

This comment has been minimized.

Show comment
Hide comment
@bgrant0607

bgrant0607 Aug 9, 2016

Member

cc @kubernetes/sig-cluster-lifecycle

Member

bgrant0607 commented Aug 9, 2016

cc @kubernetes/sig-cluster-lifecycle

@philips

This comment has been minimized.

Show comment
Hide comment
@philips

philips Aug 11, 2016

Contributor

@mikedanese @liggitt can we please move the technical discussion about the design of the system to the https://groups.google.com/forum/#!forum/kubernetes-sig-node mailing list.

Contributor

philips commented Aug 11, 2016

@mikedanese @liggitt can we please move the technical discussion about the design of the system to the https://groups.google.com/forum/#!forum/kubernetes-sig-node mailing list.

@gtank

This comment has been minimized.

Show comment
Hide comment
@gtank

gtank Aug 11, 2016

@liggitt @mikedanese The nodes derive individual identities from the shared token. The token only exists to 1) filter requests meant for other clusters and 2) allow us restrict the nodes (via groups or ABAC) from accessing the rest of the API before they have client certs.

gtank commented Aug 11, 2016

@liggitt @mikedanese The nodes derive individual identities from the shared token. The token only exists to 1) filter requests meant for other clusters and 2) allow us restrict the nodes (via groups or ABAC) from accessing the rest of the API before they have client certs.

@pwittrock

This comment has been minimized.

Show comment
Hide comment
@pwittrock

pwittrock Aug 15, 2016

Member

@philips Is this on target for the 1.4 feature freeze this Friday (Aug 19)?

Member

pwittrock commented Aug 15, 2016

@philips Is this on target for the 1.4 feature freeze this Friday (Aug 19)?

@mike-saparov

This comment has been minimized.

Show comment
Hide comment
@mike-saparov

mike-saparov Aug 16, 2016

@pwittrock: based on kubernetes/kubernetes#30094 this feature suddenly started being redesigned in flight after 5 months of work... Any suggestions on how to avoid the major redesign three days before feature freeze are welcome

@pwittrock: based on kubernetes/kubernetes#30094 this feature suddenly started being redesigned in flight after 5 months of work... Any suggestions on how to avoid the major redesign three days before feature freeze are welcome

@smarterclayton

This comment has been minimized.

Show comment
Hide comment
@smarterclayton

smarterclayton Aug 16, 2016

Contributor

Occasionally we will realize gaps in designed features as they are implemented. We definitely need a process that handles that - rushing features to delivery without all the proper technical due diligence being done is going to cause more issues than occasionally features missing a release. I think everyone involved is trying to find the best and most secure option for the platform here.

Contributor

smarterclayton commented Aug 16, 2016

Occasionally we will realize gaps in designed features as they are implemented. We definitely need a process that handles that - rushing features to delivery without all the proper technical due diligence being done is going to cause more issues than occasionally features missing a release. I think everyone involved is trying to find the best and most secure option for the platform here.

@mike-saparov

This comment has been minimized.

Show comment
Hide comment
@mike-saparov

mike-saparov Aug 16, 2016

@smarterclayton based on PR discussions it would be great if @liggitt and @deads2k could help with parts of the feature, wdyt? any coding / review help is appreciated to address raised concerns.

@smarterclayton based on PR discussions it would be great if @liggitt and @deads2k could help with parts of the feature, wdyt? any coding / review help is appreciated to address raised concerns.

@smarterclayton

This comment has been minimized.

Show comment
Hide comment
@smarterclayton

smarterclayton Aug 16, 2016

Contributor

I believe both of them had been representing sig-auth on the security aspects here - I had not yet seen an update on the remaining issues though. That's probably appropriate on the linked issue.

Contributor

smarterclayton commented Aug 16, 2016

I believe both of them had been representing sig-auth on the security aspects here - I had not yet seen an update on the remaining issues though. That's probably appropriate on the linked issue.

k8s-merge-robot added a commit to kubernetes/kubernetes that referenced this issue Aug 21, 2016

Merge pull request #30922 from yifan-gu/tls_bootstrap_refactor
Automatic merge from submit-queue

Implement TLS bootstrap for kubelet using `--experimental-bootstrap-kubeconfig`  (2nd take)

Ref kubernetes/features#43 (comment)

cc @gtank @philips @mikedanese @aaronlevy @liggitt @deads2k @errordeveloper @justinsb 


Continue on the older PR #30094 as there are too many comments on that one and it's not loadable now.
@gtank

This comment has been minimized.

Show comment
Hide comment
@gtank

gtank Aug 23, 2016

Update: kubelet support merged in kubernetes/kubernetes#30922

gtank commented Aug 23, 2016

Update: kubelet support merged in kubernetes/kubernetes#30922

@yifan-gu

This comment has been minimized.

Show comment
Hide comment
@yifan-gu

yifan-gu Aug 23, 2016

Member

To be more clear, kubernetes/kubernetes#30922 only requests the kubelet client cert from API server. We will need follow up work on getting the kubelet serving cert.

Member

yifan-gu commented Aug 23, 2016

To be more clear, kubernetes/kubernetes#30922 only requests the kubelet client cert from API server. We will need follow up work on getting the kubelet serving cert.

@errordeveloper

This comment has been minimized.

Show comment
Hide comment
@errordeveloper

errordeveloper Aug 24, 2016

Member

Could you create another issue to clarify that?

On Wed, 24 Aug 2016, 00:18 Yifan Gu, notifications@github.com wrote:

To be more clear, kubernetes/kubernetes#30922
kubernetes/kubernetes#30922 only requests the
kubelet client cert from API server. We will need follow up work on getting
the kubelet serving cert.


You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAPWS-UriOVAXjKfqJAoP-mRahm9LOxcks5qi3_TgaJpZM4JS7ez
.

Member

errordeveloper commented Aug 24, 2016

Could you create another issue to clarify that?

On Wed, 24 Aug 2016, 00:18 Yifan Gu, notifications@github.com wrote:

To be more clear, kubernetes/kubernetes#30922
kubernetes/kubernetes#30922 only requests the
kubelet client cert from API server. We will need follow up work on getting
the kubelet serving cert.


You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
#43 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAPWS-UriOVAXjKfqJAoP-mRahm9LOxcks5qi3_TgaJpZM4JS7ez
.

@yifan-gu

This comment has been minimized.

Show comment
Hide comment
@yifan-gu

yifan-gu Aug 26, 2016

Member

@errordeveloper Basically we need to think about:

  • How this continues to combine with the work of dynamic kubelet settings kubernetes/kubernetes#27980
  • How we get the serving cert for kubelet
  • How to do the cert rotation

Probably need to sync with @kubernetes/sig-auth to get a better idea before creating the issue.

Member

yifan-gu commented Aug 26, 2016

@errordeveloper Basically we need to think about:

  • How this continues to combine with the work of dynamic kubelet settings kubernetes/kubernetes#27980
  • How we get the serving cert for kubelet
  • How to do the cert rotation

Probably need to sync with @kubernetes/sig-auth to get a better idea before creating the issue.

@mikedanese mikedanese referenced this issue Aug 31, 2016

Closed

kubeadm graduation requirements #31711

0 of 11 tasks complete

@roberthbailey roberthbailey added this to the v1.10 milestone Jan 2, 2018

@idvoretskyi

This comment has been minimized.

Show comment
Hide comment
@idvoretskyi

idvoretskyi Jan 22, 2018

Member

@roberthbailey still beta for 1.10?

Member

idvoretskyi commented Jan 22, 2018

@roberthbailey still beta for 1.10?

@mikedanese mikedanese added stage/stable and removed stage/beta labels Jan 22, 2018

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Jan 22, 2018

Member

This is going to GA next.

Member

mikedanese commented Jan 22, 2018

This is going to GA next.

@idvoretskyi

This comment has been minimized.

Show comment
Hide comment
@idvoretskyi

idvoretskyi Jan 22, 2018

Member

@mikedanese GA in 1.10, right?

Member

idvoretskyi commented Jan 22, 2018

@mikedanese GA in 1.10, right?

@idvoretskyi

This comment has been minimized.

Show comment
Hide comment
Member

idvoretskyi commented Jan 22, 2018

@mikedanese thanks.

@Bradamant3

This comment has been minimized.

Show comment
Hide comment

@mikedanese mikedanese modified the milestones: v1.10, v1.11 Mar 2, 2018

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Mar 2, 2018

Member

This didn't make the cut.

Member

mikedanese commented Mar 2, 2018

This didn't make the cut.

@luxas luxas added stage/beta and removed stage/stable labels Mar 13, 2018

@luxas

This comment has been minimized.

Show comment
Hide comment
@luxas

luxas Mar 13, 2018

Member

This didn't make the cut.

cc @nickchase

Member

luxas commented Mar 13, 2018

This didn't make the cut.

cc @nickchase

@idvoretskyi

This comment has been minimized.

Show comment
Hide comment
@idvoretskyi

idvoretskyi Mar 13, 2018

Member

@mikedanese can you please update the OP with the new issue template? It will simplify the feature tracking a lot. Thanks

@kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests

Member

idvoretskyi commented Mar 13, 2018

@mikedanese can you please update the OP with the new issue template? It will simplify the feature tracking a lot. Thanks

@kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Apr 17, 2018

Member

@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests

Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

Member

justaugustus commented Apr 17, 2018

@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests

Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@mistyhacks

This comment has been minimized.

Show comment
Hide comment
@mistyhacks

mistyhacks May 24, 2018

@mikedanese please fill out the appropriate line item of the
1.11 feature tracking spreadsheet
and open a placeholder docs PR against the
release-1.11 branch
by 5/25/2018 (tomorrow as I write this) if new docs or docs changes are
needed and a relevant PR has not yet been opened.

@mikedanese please fill out the appropriate line item of the
1.11 feature tracking spreadsheet
and open a placeholder docs PR against the
release-1.11 branch
by 5/25/2018 (tomorrow as I write this) if new docs or docs changes are
needed and a relevant PR has not yet been opened.

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Jun 4, 2018

Member

@mikedanese -- We're doing one more sweep of the 1.11 Features tracking spreadsheet.
Would you mind filling in any incomplete / blank fields for this feature's line item?

Member

justaugustus commented Jun 4, 2018

@mikedanese -- We're doing one more sweep of the 1.11 Features tracking spreadsheet.
Would you mind filling in any incomplete / blank fields for this feature's line item?

@mikedanese mikedanese modified the milestones: v1.11, next-milestone Jun 4, 2018

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Jun 4, 2018

Member

No updates. Bumped to next milestone.

Member

mikedanese commented Jun 4, 2018

No updates. Bumped to next milestone.

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Jun 4, 2018

Member

Thanks for the update, @mikedanese!

Member

justaugustus commented Jun 4, 2018

Thanks for the update, @mikedanese!

@justaugustus justaugustus modified the milestones: next-milestone, v1.12 Jul 2, 2018

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Jul 18, 2018

Member

@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests --

This feature was removed from the previous milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

  • One-line feature description (can be used as a release note):
  • Primary contact (assignee):
  • Responsible SIGs:
  • Design proposal link (community repo):
  • Link to e2e and/or unit tests:
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • Approver (likely from SIG/area to which feature belongs):
  • Feature target (which target equals to which milestone):
    • Alpha release target (x.y)
    • Beta release target (x.y)
    • Stable release target (x.y)

Set the following:

  • Description
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

/cc @justaugustus @kacole2 @robertsandoval @rajendar38

Member

justaugustus commented Jul 18, 2018

@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests --

This feature was removed from the previous milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

  • One-line feature description (can be used as a release note):
  • Primary contact (assignee):
  • Responsible SIGs:
  • Design proposal link (community repo):
  • Link to e2e and/or unit tests:
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • Approver (likely from SIG/area to which feature belongs):
  • Feature target (which target equals to which milestone):
    • Alpha release target (x.y)
    • Beta release target (x.y)
    • Stable release target (x.y)

Set the following:

  • Description
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

/cc @justaugustus @kacole2 @robertsandoval @rajendar38

@luxas

This comment has been minimized.

Show comment
Hide comment
@luxas

luxas Jul 30, 2018

Member

@kubernetes/sig-auth-feature-requests can we graduate this to stable in v1.12?

Member

luxas commented Jul 30, 2018

@kubernetes/sig-auth-feature-requests can we graduate this to stable in v1.12?

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Jul 31, 2018

Member

@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-auth-misc --
Feature Freeze is today. Are we planning on graduating this feature in Kubernetes 1.12?
If so, can you make sure everything is up-to-date, so I can include it on the 1.12 Feature tracking spreadsheet?

Member

justaugustus commented Jul 31, 2018

@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-auth-misc --
Feature Freeze is today. Are we planning on graduating this feature in Kubernetes 1.12?
If so, can you make sure everything is up-to-date, so I can include it on the 1.12 Feature tracking spreadsheet?

@mikedanese

This comment has been minimized.

Show comment
Hide comment
@mikedanese

mikedanese Jul 31, 2018

Member

I'm ok with this going to GA as long as the certificates API remains beta.

Member

mikedanese commented Jul 31, 2018

I'm ok with this going to GA as long as the certificates API remains beta.

@mikedanese mikedanese added stage/stable and removed stage/beta labels Jul 31, 2018

@liggitt

This comment has been minimized.

Show comment
Hide comment
@liggitt

liggitt Aug 1, 2018

Member

Can a GA feature depend on a beta API? What does that mean, support-wise?

Member

liggitt commented Aug 1, 2018

Can a GA feature depend on a beta API? What does that mean, support-wise?

@justaugustus

This comment has been minimized.

Show comment
Hide comment
@justaugustus

justaugustus Aug 4, 2018

Member

I've added this to the 1.12 sheet as stable, but let me know if we need to walk that back.
cc: @kacole2 @wadadli @robertsandoval @rajendar38

Member

justaugustus commented Aug 4, 2018

I've added this to the 1.12 sheet as stable, but let me know if we need to walk that back.
cc: @kacole2 @wadadli @robertsandoval @rajendar38

@luxas

This comment has been minimized.

Show comment
Hide comment
@luxas

luxas Aug 4, 2018

Member

I'm ok with this going to GA as long as the certificates API remains beta.

Why not graduate the as-is API to GA and do a v2 in case we need additional features or whatever?

Member

luxas commented Aug 4, 2018

I'm ok with this going to GA as long as the certificates API remains beta.

Why not graduate the as-is API to GA and do a v2 in case we need additional features or whatever?

@liggitt

This comment has been minimized.

Show comment
Hide comment
@liggitt

liggitt Aug 10, 2018

Member

We discussed this in the sig-auth meeting on 8/8, and agreed the bootstrap feature can be promoted to stable, but not the CSR API yet. That means the externally-facing portions of the bootstrap mechanism (bootstrap kubeconfig, etc) will continue to be supported.

Member

liggitt commented Aug 10, 2018

We discussed this in the sig-auth meeting on 8/8, and agreed the bootstrap feature can be promoted to stable, but not the CSR API yet. That means the externally-facing portions of the bootstrap mechanism (bootstrap kubeconfig, etc) will continue to be supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment