New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP]When kubelet enable rotate-certificates and bootstrap, request CSR in foreground #112240
Conversation
@chenk008: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @chenk008. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: chenk008 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
81cc9cc
to
2b193d2
Compare
2b193d2
to
9721c87
Compare
/remove-sig api-machinery |
It's unclear to me what the implications of blocking on this are for running static pods. I know putting this in the background was explicitly done so that static pods would not be impacted by CSR requests. xref #69890 /cc @smarterclayton /hold |
@liggitt In my scenario:
For now, it will request CSR in background, and check certificates every 10 seconds. https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/certificate/transport.go#L57. Once the CSR delayed, it has to wait for the next cycle, it is too long in our scenario. How about the following options?
WDYT? |
is the issue that this line allows successfully establishing connections with no certificate while waiting for the initial certificate, and those connections persist up to 10 seconds once the initial CSR is approved/signed/issued? kubernetes/pkg/kubelet/certificate/transport.go Lines 92 to 94 in 7cba7e6
It seems reasonable to check more frequently until we get non-null initial certificate... opened #114367 as a possible example of that |
This PR has the label work-in-progress, please revisit to see if you still need this, please close if not |
/close |
@enj: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
When kubelet enable rotate-certificates and bootstrap, request CSR in foreground. It can help to reduce the uncertainty of node register time.
Which issue(s) this PR fixes:
Fixes #112170
Special notes for your reviewer:
Now when kubelet enable rotate-certificates and bootstrap-kubeconfig, it will request CSR in background. With the delayed CSR approval, kubelet use the bootstrap token to register, but the bootstrap token has no permission. It will need wait 10s to change client transport tls config.
Requesting CSR in foreground, even the CSR delayed a seconds, the kubelet will register successfully Immediately after the CSR approved. It don't need to wait 10s for the certificate check.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: