Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KeyEncipherment usage should not be required for non-RSA kubelet client/serving CSRs #109077

Closed
liggitt opened this issue Mar 28, 2022 · 8 comments · Fixed by #111660
Closed

KeyEncipherment usage should not be required for non-RSA kubelet client/serving CSRs #109077

liggitt opened this issue Mar 28, 2022 · 8 comments · Fixed by #111660
Assignees
@pacoxu
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth Old

Comments

@liggitt
Copy link
Member

liggitt commented Mar 28, 2022

What happened?

golang/go#36499 describes why the KeyEncipherment extended key usage does not make sense (and in some cases, is not allowed) for ECDSA keys.

The Kubernetes kubernetes.io/kubelet-serving and kubernetes.io/kube-apiserver-client-kubelet signer names require a key encipherment usage.

If the kubelet is not using an RSA key (which it does not by default), it should not need to specify this key usage.

Since relaxing this to make the key encipherment usage optional for those two signerNames may involve an API validation change, this may need rollout over 2 releases. The places we'll need to make sure work properly are:

  1. API validation of CSR create and update requests
  2. Controller tolerating CSR objects with/without that usage
  3. Kubelets requesting CSRs properly without that usage if given a non-RSA key

What did you expect to happen?

n/a

How can we reproduce it (as minimally and precisely as possible)?

n/a

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
# paste output here

Cloud provider

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@liggitt liggitt added the kind/bug Categorizes issue or PR as related to a bug. label Mar 28, 2022
@liggitt
Copy link
Member Author

liggitt commented Mar 28, 2022

/sig auth

@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 28, 2022
@liggitt liggitt added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. labels Mar 28, 2022
@enj enj added this to Needs Triage in SIG Auth Old Mar 29, 2022
@liggitt liggitt added this to the v1.25 milestone Mar 31, 2022
@liggitt liggitt added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Apr 13, 2022
@mikedanese mikedanese added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Apr 13, 2022
@ritazh
Copy link
Member

ritazh commented Apr 13, 2022

/triage accepted

@mikedanese mikedanese added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Apr 13, 2022
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 13, 2022
@ritazh ritazh moved this from Needs Triage to Backlog in SIG Auth Old Apr 13, 2022
@hosseinsalahi
Copy link

Hey @liggitt, Bug-Triage here!
There hasn't been any activity on this issue for a couple of months now. Just want to make sure this issue is still on track for the 1.25?

@liggitt
Copy link
Member Author

liggitt commented Jun 29, 2022

no one has picked it up, but it remains important

@pacoxu
Copy link
Member

pacoxu commented Jul 1, 2022

/assign
I will take a look next week.

@pacoxu pacoxu mentioned this issue Jul 11, 2022
Merged
@pacoxu pacoxu mentioned this issue Aug 3, 2022
Merged
@pacoxu
Copy link
Member

pacoxu commented Aug 8, 2022

milestone v1.25 task was done. We can tag this to be milestone v1.26 now.

@liggitt liggitt modified the milestones: v1.25, v1.26 Aug 8, 2022
@cailynse
Copy link

Hello @pacoxu! Bug Triage shadow here - I wanted to check in and see if this issue is still on track for 1.26?

@pacoxu
Copy link
Member

pacoxu commented Sep 22, 2022

Hello @pacoxu! Bug Triage shadow here - I wanted to check in and see if this issue is still on track for 1.26?

Yes. I will follow up #111660 later, and there are still CI failures to be fixed.

@enj enj moved this from Backlog to In Progress in SIG Auth Old Oct 3, 2022
@pacoxu pacoxu mentioned this issue Nov 7, 2022
Closed
@leonardpahlke leonardpahlke removed this from the v1.26 milestone Nov 9, 2022
@dims dims mentioned this issue Apr 20, 2023
Closed
@xrstf xrstf mentioned this issue May 5, 2023
Merged
@networkhermit networkhermit mentioned this issue Jun 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pacoxu pacoxu

Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
SIG Auth Old
In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Key encipherment usage v1.27 pacoxu/kubernetes
8 participants
@liggitt @mikedanese @ritazh @pacoxu @cailynse @k8s-ci-robot @hosseinsalahi @leonardpahlke