csr: add expirationSeconds field to control cert lifetime #99494
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
area/apiserver
area/kubectl
area/kubelet
area/test
sig/api-machinery
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
enj
force-pushed
the
enj/i/not_after_ttl_hint
branch
from
de5b26c
to
d0d001b
Compare
k8s-ci-robot
added
size/XXL
enj
commented
Feb 26, 2021
...o/api/testdata/v1.19.0/certificates.k8s.io.v1.CertificateSigningRequest.after_roundtrip.json
Outdated
Show resolved
Hide resolved
|
@logicalhan: GitHub didn't allow me to request PR reviews from the following users: to, verify. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This change updates the CSR API to add a new, optional field called expirationSeconds. This field is a request to the signer for the maximum duration the client wishes the cert to have. The signer is free to ignore this request based on its own internal policy. The signers built-in to KCM will honor this field if it is not set to a value greater than --cluster-signing-duration. The minimum allowed value for this field is 600 seconds (ten minutes). This change will help enforce safer durations for certificates in the Kube ecosystem and will help related projects such as cert-manager with their migration to the Kube CSR API. Future enhancements may update the Kubelet to take advantage of this field when it is configured in a way that can tolerate shorter certificate lifespans with regular rotation. Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Monis Khan <mok@vmware.com>
enj
force-pushed
the
enj/i/not_after_ttl_hint
branch
from
b5400d9
to
8d49502
Compare
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
|
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
timebertt
added a commit
to timebertt/gardener
that referenced
this pull request
Oct 14, 2021
timebertt
added a commit
to gardener/gardener
that referenced
this pull request
Oct 14, 2021
* Upgrade to k8s.io/*@v0.22.2 in go.mod
* [automated] make revendor
* [automated] make generate
* [automated] make revendor
github.com/go-openapi/spec seems to be orphaned after previous make generate
* Upgrade to c-r@v0.10.2 in go.mod
Also, upgrade setup-envtest (doesn't have a tagged release yet, so use
release commit instead)
* [automated] make revendor
* Upgrade to controller-tools@v0.7.0 in go.mod
* [automated] make revendor
* Add missing WarningsOn{Create,Update} to rest strategies
* Replace dot imports for github.com/onsi/gomega/types
Fix linting errors: `Assertion` redeclared in this block (typecheck)
* Switch to typed values for WebhookInstallOptions.*Webhooks
ref kubernetes-sigs/controller-runtime#1626
* RequestCertificate now takes an optional requestedDuration
ref kubernetes/kubernetes#99494
* Switch to matchers.DeepEqual to test semantic equality
Maps (e.g. labels, selectors, resource requirements) might be sorted differently
than expected. Hence, use semantic equality instead of strict equality, as this
is what matters to us.
Also, DeepEqual outputs yaml and adds a nice diff indicator instead of printing
some large confusing go struct representation.
* Add new memorySwap field to expected kubelet config
ref kubernetes/kubernetes#102823
* Round condition.lastUpdateTime to seconds in test
There were several changes in the fake clients that might cause the failure
to happen just now.
* Correct unit tests falsely succeeding
These tests were not preparing the test objects correctly: they only updated
them in memory but not on the fake client. This wasn't caught until now
because the fake client mimicked the real json decoder, which didn't unset
fields not present on the server. Now that the fake client zeroes fields,
the tests started failing (which is correct). So fix the tests.
ref kubernetes-sigs/controller-runtime#1651
* Remove workarounds for missing zeroing in json decoder
Now that the c-r client zeroes fields before decoding into the object,
we can drop our workarounds for this, so basically drop
kutil.CreateResetObjectFunc and its usages.
ref kubernetes-sigs/controller-runtime#1640
* Drop setting webhook gvk explicitly in envtest
webhookConfig.SetGroupVersionKind is not needed anymore with
kubernetes-sigs/controller-runtime#1665
* Add some follow-up TODO comments
* [automated] make generate
but with go 1.16.9
* Address review comments
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Apr 21, 2022
* Upgrade to k8s.io/*@v0.22.2 in go.mod
* [automated] make revendor
* [automated] make generate
* [automated] make revendor
github.com/go-openapi/spec seems to be orphaned after previous make generate
* Upgrade to c-r@v0.10.2 in go.mod
Also, upgrade setup-envtest (doesn't have a tagged release yet, so use
release commit instead)
* [automated] make revendor
* Upgrade to controller-tools@v0.7.0 in go.mod
* [automated] make revendor
* Add missing WarningsOn{Create,Update} to rest strategies
* Replace dot imports for github.com/onsi/gomega/types
Fix linting errors: `Assertion` redeclared in this block (typecheck)
* Switch to typed values for WebhookInstallOptions.*Webhooks
ref kubernetes-sigs/controller-runtime#1626
* RequestCertificate now takes an optional requestedDuration
ref kubernetes/kubernetes#99494
* Switch to matchers.DeepEqual to test semantic equality
Maps (e.g. labels, selectors, resource requirements) might be sorted differently
than expected. Hence, use semantic equality instead of strict equality, as this
is what matters to us.
Also, DeepEqual outputs yaml and adds a nice diff indicator instead of printing
some large confusing go struct representation.
* Add new memorySwap field to expected kubelet config
ref kubernetes/kubernetes#102823
* Round condition.lastUpdateTime to seconds in test
There were several changes in the fake clients that might cause the failure
to happen just now.
* Correct unit tests falsely succeeding
These tests were not preparing the test objects correctly: they only updated
them in memory but not on the fake client. This wasn't caught until now
because the fake client mimicked the real json decoder, which didn't unset
fields not present on the server. Now that the fake client zeroes fields,
the tests started failing (which is correct). So fix the tests.
ref kubernetes-sigs/controller-runtime#1651
* Remove workarounds for missing zeroing in json decoder
Now that the c-r client zeroes fields before decoding into the object,
we can drop our workarounds for this, so basically drop
kutil.CreateResetObjectFunc and its usages.
ref kubernetes-sigs/controller-runtime#1640
* Drop setting webhook gvk explicitly in envtest
webhookConfig.SetGroupVersionKind is not needed anymore with
kubernetes-sigs/controller-runtime#1665
* Add some follow-up TODO comments
* [automated] make generate
but with go 1.16.9
* Address review comments
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
* Upgrade to k8s.io/*@v0.22.2 in go.mod
* [automated] make revendor
* [automated] make generate
* [automated] make revendor
github.com/go-openapi/spec seems to be orphaned after previous make generate
* Upgrade to c-r@v0.10.2 in go.mod
Also, upgrade setup-envtest (doesn't have a tagged release yet, so use
release commit instead)
* [automated] make revendor
* Upgrade to controller-tools@v0.7.0 in go.mod
* [automated] make revendor
* Add missing WarningsOn{Create,Update} to rest strategies
* Replace dot imports for github.com/onsi/gomega/types
Fix linting errors: `Assertion` redeclared in this block (typecheck)
* Switch to typed values for WebhookInstallOptions.*Webhooks
ref kubernetes-sigs/controller-runtime#1626
* RequestCertificate now takes an optional requestedDuration
ref kubernetes/kubernetes#99494
* Switch to matchers.DeepEqual to test semantic equality
Maps (e.g. labels, selectors, resource requirements) might be sorted differently
than expected. Hence, use semantic equality instead of strict equality, as this
is what matters to us.
Also, DeepEqual outputs yaml and adds a nice diff indicator instead of printing
some large confusing go struct representation.
* Add new memorySwap field to expected kubelet config
ref kubernetes/kubernetes#102823
* Round condition.lastUpdateTime to seconds in test
There were several changes in the fake clients that might cause the failure
to happen just now.
* Correct unit tests falsely succeeding
These tests were not preparing the test objects correctly: they only updated
them in memory but not on the fake client. This wasn't caught until now
because the fake client mimicked the real json decoder, which didn't unset
fields not present on the server. Now that the fake client zeroes fields,
the tests started failing (which is correct). So fix the tests.
ref kubernetes-sigs/controller-runtime#1651
* Remove workarounds for missing zeroing in json decoder
Now that the c-r client zeroes fields before decoding into the object,
we can drop our workarounds for this, so basically drop
kutil.CreateResetObjectFunc and its usages.
ref kubernetes-sigs/controller-runtime#1640
* Drop setting webhook gvk explicitly in envtest
webhookConfig.SetGroupVersionKind is not needed anymore with
kubernetes-sigs/controller-runtime#1665
* Add some follow-up TODO comments
* [automated] make generate
but with go 1.16.9
* Address review comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change updates the CSR API to add a new, optional field called
expirationSeconds. This field is a request to the signer for the
maximum duration the client wishes the cert to have. The signer is
free to ignore this request based on its own internal policy. The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration. The minimum allowed
value for this field is 600 seconds (ten minutes).
This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.
Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.
Signed-off-by: Monis Khan mok@vmware.com
/kind feature
/kind api-change
/sig auth
/priority important-longterm
/triage accepted
@kubernetes/sig-auth-pr-reviews @kubernetes/sig-security-pr-reviews
/assign @mikedanese @liggitt @munnerz
Fixes #92678
xref: cert-manager/cert-manager#3646
Special notes for your reviewer: