New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set --proxy-client-cert-file and --proxy-client-key-file for kube-up.sh #43716
Labels
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
sig/cluster-lifecycle
Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Milestone
Comments
deads2k
added
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
labels
Mar 27, 2017
liggitt
added
the
sig/cluster-lifecycle
Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
label
Mar 27, 2017
cc @mikedanese, same concept as |
Is anyone driving this for 1.7? |
@cheftako do you have a pull for this? |
cheftako
added a commit
to cheftako/kubernetes
that referenced
this issue
Jun 9, 2017
Working on fixing kubernetes#43716. This will create the necessary certificates. On GCE is will upload those certificates to Metadata. They are then pulled down on to the kube-apiserver. They are written to the /etc/src/kubernetes/pki directory. Finally they are loaded vi the appropriate command line flags. The requestheader-client-ca-file can be seen by running the following:- kubectl get ConfigMap extension-apiserver-authentication --namespace=kube-system -o yaml Minor bug fixes. Made sure AGGR_MASTER_NAME is set up in all configs. Clean up variable names. Added additional requestheader configuration parameters.
k8s-github-robot
pushed a commit
that referenced
this issue
Jun 13, 2017
Automatic merge from submit-queue (batch tested with PRs 47000, 47188, 47094, 47323, 47124) Set up proxy certs for Aggregator. Working on fixing #43716. This will create the necessary certificates. On GCE is will upload those certificates to Metadata. They are then pulled down on to the kube-apiserver. They are written to the /etc/src/kubernetes/pki directory. Finally they are loaded vi the appropriate command line flags. The requestheader-client-ca-file can be seen by running the following:- kubectl get ConfigMap extension-apiserver-authentication --namespace=kube-system -o yaml **What this PR does / why we need it**: This PR creates a request header CA. It also creates a proxy client cert/key pair. It causes these files to end up on kube-apiserver and set the CLI flags so they are properly loaded. Without it the customer either has to set them up themselves or re-use the master CA which is a security vulnerability. Currently this creates everything on GCE. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #43716 **Special notes for your reviewer**:
I re-open this issue since I reverted #47094 |
cheftako
added a commit
to cheftako/kubernetes
that referenced
this issue
Jun 15, 2017
This will create the necessary certificates. On GCE is will upload those certificates to Metadata. They are then pulled down on to the kube-apiserver. They are written to the /etc/src/kubernetes/pki directory. Finally they are loaded vi the appropriate command line flags. The requestheader-client-ca-file can be seen by running the following:- kubectl get ConfigMap extension-apiserver-authentication --namespace=kube-system -o yaml Minor bug fixes. Made sure AGGR_MASTER_NAME is set up in all configs. Clean up variable names. Added additional requestheader configuration parameters. Added check so that if there is no Aggregator CA contents we won't start the aggregator with the relevant flags.
k8s-github-robot
pushed a commit
that referenced
this issue
Jun 17, 2017
Automatic merge from submit-queue (batch tested with PRs 38751, 44282, 46382, 47603, 47606) Working on fixing #43716. This will create the necessary certificates. On GCE is will upload those certificates to Metadata. They are then pulled down on to the kube-apiserver. They are written to the /etc/src/kubernetes/pki directory. Finally they are loaded vi the appropriate command line flags. The requestheader-client-ca-file can be seen by running the following:- kubectl get ConfigMap extension-apiserver-authentication --namespace=kube-system -o yaml Minor bug fixes. Made sure AGGR_MASTER_NAME is set up in all configs. Clean up variable names. Added additional requestheader configuration parameters. Added check so that if there is no Aggregator CA contents we won't start the aggregator with the relevant flags. **What this PR does / why we need it**: This PR creates a request header CA. It also creates a proxy client cert/key pair. It causes these files to end up on kube-apiserver and set the CLI flags so they are properly loaded. Without it the customer either has to set them up themselves or re-use the master CA which is a security vulnerability. Currently this creates everything on GCE. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #43716 **Special notes for your reviewer**: This is a reapply of pull/47094 with the GKE issue resolved. **Release note**: None
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
sig/cluster-lifecycle
Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
The
kube-apiserver
needs a proxy client certificate for the aggregated API servers to trust in order to effectively proxy authentication.kubeadm
already has the cert/key pairs required and #43715 wires them together.We need similar wiring for
kube-up.sh
so that our e2e tests can test the authentication and authorization flows.@cheftako @kubernetes/sig-api-machinery-misc
The text was updated successfully, but these errors were encountered: