kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities #60385
Conversation
k8s-ci-robot
added
release-note
stealthybox
force-pushed
the
feature/kubeadm_710-etcd-ca
branch
from
dddf030
to
07802e2
Compare
stealthybox
force-pushed
the
feature/kubeadm_710-etcd-ca
branch
3 times, most recently
from
9eb98eb
to
be66dcf
Compare
|
/cc @detiber @ericchiang @kubernetes/sig-cluster-lifecycle-pr-reviews |
k8s-ci-robot
added
the
sig/cluster-lifecycle
timothysc
added
kind/bug
|
This was an implementation request/bug from the original PR so it meets the criteria for post freeze inclusion. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| @@ -302,6 +322,17 @@ func NewAPIServerKubeletClientCertAndKey(caCert *x509.Certificate, caKey *rsa.Pr | |||
| return apiClientCert, apiClientKey, nil | |||
| } | |||
|
|
|||
| // NewEtcdCACertAndKey generate a self signed front proxy CA. | |||
There was a problem hiding this comment.
Why is it a front proxy CA?
There was a problem hiding this comment.
Fixed -- thanks peter!
stealthybox
force-pushed
the
feature/kubeadm_710-etcd-ca
branch
from
be66dcf
to
41974cb
Compare
k8s-github-robot
removed
the
lgtm
|
oops... did not notice it was already in the queue 🙃 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/area kubeadm |
|
@stealthybox Could you please squash your commits? |
|
@dixudx thanks for reviewing! I separated the typos so that the CA related commit is easier to understand. |
|
@stealthybox IMO The second commit is more about renaming. But it's okay to keep it as it is. |
|
/lgtm |
| @@ -136,17 +136,22 @@ func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticP | |||
| } | |||
|
|
|||
| // ensure etcd certs are generated for etcd and kube-apiserver | |||
| if component == constants.Etcd || component == constants.KubeAPIServer { | |||
There was a problem hiding this comment.
Why CreateEtcdCACertAndKeyFiles needs to run when upgrading the api server?
There was a problem hiding this comment.
IIUC, CreateEtcdServerCertAndKeyFiles in L145 and CreateAPIServerEtcdClientCertAndKeyFiles in L153 depends on etcd CA to generate their cert and key files, CreateEtcdCACertAndKeyFiles ensures etcd CA files are existing or generated.
There was a problem hiding this comment.
Makes sense
/hold cancel
There was a problem hiding this comment.
Peter explained correctly what I was thinking 👍
The happy path would work without it, but if you ever wanted the apiserver to start independently of etcd, it would fail.
timothysc
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: detiber, dixudx, stealthybox, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
xref #60608 |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
This seems to break self-hosting, self-hosted kube-apiserver: @timothysc I'm not sure what the status is for storing certs as secrets in the cluster. I know it is behind a feature gate, but is that something we wan't to continue to do? IIRC there were security concerns with that. I can add |
|
@andrewrynhard do we rely on external etcd for self-hosted? I know there's upgrade logic that modifies the static pod manifests for self-hosted -- we could ensure the cert is generated and mounted or just remove this option unless a user specifies an external etcd cert. |
|
@stealthybox sorry, I should have been more specific... this breaks self-hosting if |
|
I think I found the bug. |
|
At a minimum, we should add the apiserver client cert to |
|
@andrewrynhard I believe the patch should include something like this: diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
index 627fb01f04..2446843c34 100644
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
@@ -279,6 +279,11 @@ func getTLSKeyPairs() []*tlsKeyPair {
cert: kubeadmconstants.APIServerKubeletClientCertName,
key: kubeadmconstants.APIServerKubeletClientKeyName,
},
+ {
+ name: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
+ cert: kubeadmconstants.APIServerEtcdClientCertName,
+ key: kubeadmconstants.APIServerEtcdClientKeyName,
+ },
{
name: kubeadmconstants.ServiceAccountKeyBaseName,
cert: kubeadmconstants.ServiceAccountPublicKeyName,Probably needs a test as well -- I can help review. |
|
We also need to add a matching |
|
@stealthybox I can create an issue once I’m back to the computer. First glance I think that patch is all we need. |
|
That patch and the projected volume |
What this PR does / why we need it:
On
kubeadm init/kubeadm upgrade, this PR generates an etcd specific CA for signing the following certs:These certs were previously signed by the kubernetes CA.
The etcd static pod in
local.gohas also been updated to only mount the/etcdsubdir ofcfg.CertificatesDir.New phase command:
See the linked issue for details on why this change is an important security feature.
Which issue(s) this PR fixes
Fixes kubernetes/kubeadm#710
Special notes for your reviewer:
on the master
this should still fail:
this should now fail: (previously would succeed)
this should still succeed:
Release note: