Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to use Kubernetes with a custom certificate authority #39694

Open
sdputurn opened this issue Feb 27, 2023 · 8 comments
Open

Document how to use Kubernetes with a custom certificate authority #39694

sdputurn opened this issue Feb 27, 2023 · 8 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security.

Comments

@sdputurn
Copy link

What would you like to be added?

i would like k8s to use custom CA and it's key to sign certificates for apiserver, controller-manager, scheduler, kubelet etc.. and also sign CSR's.

i have checked the docs - https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode

  1. where it says to use external CA signed certificate for the server and add trust this CA in k8s(but this will k8s will not be able to sign CSR's)
  2. it also says run the controller-manager standalone with --controllers=csrsigner and point to the CA certificate and key, but does not more details

we are looking at option 2. but the doc does not explain it well if this the option to use external CA and key to use for k8s.

thanks,
Sandeep

Why is this needed?

currently we have multiple cluster and every cluster usages it own CA for certificate management. Our scanning tools reports them as unknown CA. So we end up having so many CA to trust in scanning tool. we want to use a custom CA and use this CA cert and key in our k8s cluster.
@sdputurn sdputurn added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 27, 2023
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Feb 27, 2023
@k8s-ci-robot
Copy link
Contributor

There are no sig labels on this issue. Please add an appropriate label by using one of the following commands:

  • /sig <group-name>
  • /wg <group-name>
  • /committee <group-name>

Please see the group list for a listing of the SIGs, working groups, and committees available.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Feb 27, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sdputurn
Copy link
Author

wg /policy

@sftim
Copy link
Contributor

sftim commented Feb 27, 2023

This might be a documentation request. I think it is.

/retitle Document how to use Kubernetes with a custom certificate authority

@k8s-ci-robot k8s-ci-robot changed the title Ability to use custom CA for kubernetes Document how to use Kubernetes with a custom certificate authority Feb 27, 2023
@sftim
Copy link
Contributor

sftim commented Feb 27, 2023

/transfer website

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/kubernetes Feb 27, 2023
@sftim
Copy link
Contributor

sftim commented Feb 27, 2023

/sig docs
/sig security
/sig auth

@k8s-ci-robot k8s-ci-robot added sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Feb 27, 2023
@sftim sftim mentioned this issue Mar 2, 2023
Open
@aramase
Copy link
Member

aramase commented May 1, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 1, 2023
@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
SIG Auth
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aramase @sdputurn @k8s-ci-robot @sftim @k8s-triage-robot