New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow custom DNS and IP SANs for kubelet TLS bootstrapping CSR #72790

Closed
zacharya opened this Issue Jan 10, 2019 · 7 comments

Comments

Projects
None yet
3 participants
@zacharya
Copy link

zacharya commented Jan 10, 2019

What would you like to be added: It would be nice for kubelet to be able to accept custom DNS and IP SANs in bootstrap-kubeconfig for use when generating the CSR for TLS bootstrapping

Why is this needed: Currently the metrics server has to be run in insecure mode if you're using TLS bootstrapping

@zacharya

This comment has been minimized.

Copy link

zacharya commented Jan 10, 2019

/sig node

@k8s-ci-robot k8s-ci-robot added sig/node and removed needs-sig labels Jan 10, 2019

@zacharya

This comment has been minimized.

Copy link

zacharya commented Jan 10, 2019

It looks like currently, the bootstrap process just ignores the DNS and IP SAN parameters for MakeCSR in client-go:
https://github.com/kubernetes/client-go/blob/bfc2f811739f7d4171a4e0af9f7833c6ff197fbb/util/cert/csr.go#L30-L38
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/certificate/bootstrap/bootstrap.go#L323

A possible approach might be adding options to the bootstrap kubeconfig:
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubelet/app/options/options.go#L58

I'm happy to submit a PR if the enhancement is approved and the approach is agreed upon.

@zacharya

This comment has been minimized.

Copy link

zacharya commented Jan 10, 2019

/sig instrumentation

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 11, 2019

If you want control over the hostnames for your kubelet, you can:

  1. run with --cloud-provider=external and TLS cert rotation enabled
  2. set the hostname or IP or DNS addresses on the Node API object

When run with external cloud provider, the kubelet will request serving certs for whatever addresses are set into its Node object's status

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 13, 2019

bootstrap-kubeconfig is about the kubelet's client credentials to speak to the apiserver, not the kubelet's serving certificate

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Jan 13, 2019

Currently the metrics server has to be run in insecure mode if you're using TLS bootstrapping

It shouldn't need to if the kubelet is using TLS serving cert rotation, and the metrics server is given a trust bundle containing the CA used to sign CSRs

@zacharya

This comment has been minimized.

Copy link

zacharya commented Jan 16, 2019

Ok, thanks for the follow up. This seems to be an issue brought about by our specific setup and not by the bootstrapping process itself.

@zacharya zacharya closed this Jan 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment