New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make CA valid 1 hour in the past #118631
Make CA valid 1 hour in the past #118631
Conversation
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @champtar. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When running kubeadm / installing k8s early during boot, the CA certificate can be generated before time is synchronised and time is jumped backward. Make notBefore 1 hour in the past to accept small clock jump. Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
/sig auth |
Should we add |
/ok-to-test |
/assign @neolit123 |
for context, we had a related duscussion in the past IMO, if we are changing notBefore for CA certs, with one hour padding we should also do it for other certs. @champtar WDYT?
the k/k usage may only be by kubeadm, but there could be other external direct users of client go. |
This is the only place in k/k where NotBefore == time.Now()
In the kubeadm case NotBefore == ca.NotBefore
In pkg/controller/certificates/authority there is already some backdate logic
In client-go in GenerateSelfSignedCertKeyWithFixtures() there is already -1hour (that's why I picked 1h) kubernetes/staging/src/k8s.io/client-go/util/cert/cert.go Lines 103 to 104 in 1193ab6
Good point, if we want to be safe I can introduce a new function that take NotBefore as parameter and not change the behavior for everyone, please tell me what is preferred |
thanks for the info.
+1 given we already have this in other places and it was discussed before.
unclear what is better. likely the -1h padding without opt-out is fine. i can lgtm, but approval is up to api machinery (owners of client go). /lgtm |
LGTM label has been added. Git tree hash: 468ef00647a9d69239999ddfd3b63cb304100524
|
/release-note-edit
owners: please adjust the note if needed |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: champtar, dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This function is exported from client-go, is this really safe to do? |
i think the change is fine based on prior discussions. @champtar , your backports state "feature". we don't backport features per se. usually it has to be a blocking bug fix.. |
I just copied the kind/feature from this PR. It's blocking for my use case because I want to start as fast as possible, so before time sync, and the install fails if there is a time jump just after certificate generation, and I don't have a workaround except this PR. |
a slightly involved workaround for kubeadm would be to sign your own CA/certs/keys.
i think the client-go owners should take a look at this PR and the backports. EDIT: you can ping #sig-api-machinery on k8s slack. |
openssl doesn't provide an easy way to put the not before time in the past, my simplest workaround involved using
Will do, thanks |
Slack discussion: https://kubernetes.slack.com/archives/C0EG7JC6T/p1687815949656259 |
/release-note-none |
@neolit123: you can only set the release note label to release-note-none if the release-note block in the PR body text is empty or "none". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/release-note-edit
|
What type of PR is this?
/kind feature
What this PR does / why we need it:
When running kubeadm / installing k8s early during boot, the CA certificate can be generated before time is synchronised and time is jumped backward.
Make notBefore 1 hour in the past to accept small clock jump.
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: