-
Notifications
You must be signed in to change notification settings - Fork 39.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
self-signed kubelet server certificate is never renewed #99418
Comments
@champtar: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig node |
kubeadm doesn't use the kubelet serving certificate for anything, thus it's not enabling its automatic rotation via --rotate-server-certificates RotateKubeletServerCertificate or manual rotation. also see the note there that the rotation requires an external controller to sign CSRs: related thread:
kubeadm will not enable this feature anytime soon, due to the "minimal viable principle" - i.e. the majority of kubeadm users don't need this. you can ask kube-spray to see what is their stance doing it on higher level. /remove-sig node |
@neolit123: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
Looking at how to easily renew kubelet server certificate (serverTLSBootstrap + custom approver/script to regenerate a new cert myself/...), I had a look at the code and I can only find
kubelet.crt
(https://github.com/kubernetes/kubernetes/search?q=kubelet.crt&type=code) herekubernetes/cmd/kubelet/app/server.go
Lines 985 to 990 in e7cc211
This checks if the cert/key are readable but not if the cert is still valid.
What you expected to happen:
selfsigned cert is rotated before expiration
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I have only looked at the code and not manually reproduced it, but I can't find anything in k8s/kubeadm rotating this cert
Environment:
The text was updated successfully, but these errors were encountered: