New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KeyEncipherment usage should not be required for non-RSA kubelet client/serving CSRs #109077
Comments
/sig auth |
/triage accepted |
Hey @liggitt, Bug-Triage here! |
no one has picked it up, but it remains important |
/assign |
milestone v1.25 task was done. We can tag this to be milestone v1.26 now. |
Hello @pacoxu! Bug Triage shadow here - I wanted to check in and see if this issue is still on track for 1.26? |
What happened?
golang/go#36499 describes why the KeyEncipherment extended key usage does not make sense (and in some cases, is not allowed) for ECDSA keys.
The Kubernetes
kubernetes.io/kubelet-serving
andkubernetes.io/kube-apiserver-client-kubelet
signer names require akey encipherment
usage.If the kubelet is not using an RSA key (which it does not by default), it should not need to specify this key usage.
Since relaxing this to make the
key encipherment
usage optional for those two signerNames may involve an API validation change, this may need rollout over 2 releases. The places we'll need to make sure work properly are:What did you expect to happen?
n/a
How can we reproduce it (as minimally and precisely as possible)?
n/a
Anything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: