Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer by stlaz · Pull Request #48492 · kubernetes/website

stlaz · 2024-10-22T09:10:54Z

Description

This is ~~a placeholder~~ for KEP-3257 Cluster Trust Bundles

Issue

Related to: kubernetes/enhancements#3257

netlify · 2024-10-22T09:11:13Z

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name	Link
🔨 Latest commit	`ad05ff8`
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/674714996a54c400089b9d79

netlify · 2024-10-22T09:21:53Z

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	`9f625bd`
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-io-main-staging/deploys/69ef6481a6b5400008a60e78
😎 Deploy Preview	https://deploy-preview-48492--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

spurin · 2024-11-01T12:20:33Z

Hello @stlaz 👋 please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before Tuesday November 19th 2024 18:00 PST. Thank you!

sftim · 2024-11-15T11:24:26Z

/retitle Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer

sftim

Some feedback

stlaz · 2024-11-25T10:55:34Z

Thank you @sftim for the review. I addressed your comments, I had additional questions with some of them.

sftim · 2024-11-27T12:36:05Z

LGTM for docs (even with pending feedback)
We should try to get a technical review on this change as well.

stlaz · 2025-01-31T14:29:01Z

Indeed, this was created for 1.32 originally but that's now main. Switched to the correct one, I'll fix the merge conflicts to make the PR mergeable again.

k8s-triage-robot · 2025-05-06T15:28:17Z

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle stale
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

stlaz · 2025-05-07T14:32:05Z

/remove-lifecycle stale

stlaz · 2025-06-24T15:51:29Z

/hold cancel

enj · 2025-06-24T15:52:30Z

/milestone 1.33

k8s-ci-robot · 2025-06-24T15:52:32Z

@enj: You must be a member of the kubernetes/website-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Website milestone maintainers and have them propose you as an additional delegate for this responsibility.

Details

In response to this:

/milestone 1.33

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

enj

Another pass.

enj · 2025-06-24T19:41:14Z

-Enable ClusterTrustBundle objects and kubelet integration.
+This feature gate exists in the Kubernetes API server and the controller manager.
+
+Used from the kube-apiserver, it enables ClusterTrustBundle support.


Need the feature gate on the kubelet to use the volume right?

Yes, that's documented elsewhere. This FG only controls the API and the signer.

stlaz · 2025-07-23T07:40:31Z

@lmktfy would you be the right person from sig-docs for a final review?

ahmedtd · 2025-07-23T21:44:57Z

+    1. Trust distribution: signed certificates are used by the kube-apiserver for TLS
+       server authentication. The CA bundle is distributed using a ClusterTrustBundle object
+       identifiable by the `kubernetes.io/kube-apiserver-serving` signer name.
+    1. Permitted subjects - "Subject" itself is deprecated for TLS server authentication by RFC2818. However,


I'm confused --- there's no automated signing at all for this signer, right? Shouldn't we only document the trust anchor distribution?

There is no automated signing but we should still document it as any other in-tree signer, including the expectations we've got for the certificates it signs.

stlaz · 2025-08-20T08:28:45Z

/close
Looks like this PR just was not in people's review loops, let's merge it as a part of #51487

k8s-ci-robot · 2025-08-20T08:28:52Z

@stlaz: Closed this PR.

Details

In response to this:

/close
Looks like this PR just was not in people's review loops, let's merge it as a part of #51487

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

stlaz · 2026-04-27T13:18:12Z

/reopen
#51487 was abandoned, reopening.

k8s-ci-robot · 2026-04-27T13:18:21Z

@stlaz: Reopened this PR.

Details

In response to this:

/reopen
#51487 was abandoned, reopening.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot · 2026-04-27T13:18:27Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sayanchowdhury for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

content/en/docs/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

stlaz · 2026-04-27T13:20:36Z

@enj @lmktfy please take a look if you'd be so good. I think the PR was almost good for merging before I closed it.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>

k8s-ci-robot added this to the 1.32 milestone Oct 22, 2024

k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 22, 2024

stlaz force-pushed the cluster_trust_bundles branch from f6fe71b to b3c06b7 Compare November 12, 2024 13:10

k8s-ci-robot added language/en Issues or PRs related to English language size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 12, 2024

stlaz changed the title ~~KEP-3257 (Cluster Trust Bundles) docs placeholder~~ KEP-3257 (Cluster Trust Bundles): add docs for a new signer Nov 12, 2024

stlaz marked this pull request as ready for review November 12, 2024 13:12

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 12, 2024

k8s-ci-robot requested review from divya-mohan0209 and enj November 12, 2024 13:12

k8s-ci-robot changed the title ~~KEP-3257 (Cluster Trust Bundles): add docs for a new signer~~ Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer Nov 15, 2024

sftim reviewed Nov 15, 2024

View reviewed changes

Comment thread content/en/docs/reference/access-authn-authz/certificate-signing-requests.md Outdated

stlaz force-pushed the cluster_trust_bundles branch from b3c06b7 to 7687889 Compare November 25, 2024 10:53

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 25, 2024

stlaz force-pushed the cluster_trust_bundles branch from 7687889 to 58c17dd Compare November 25, 2024 14:05

sftim reviewed Nov 27, 2024

View reviewed changes

Comment thread content/en/docs/reference/glossary/san.md Outdated

sftim reviewed Nov 27, 2024

View reviewed changes

Comment thread content/en/docs/reference/glossary/san.md Outdated

sftim reviewed Nov 27, 2024

View reviewed changes

Comment thread content/en/docs/reference/glossary/san.md Outdated

sftim reviewed Nov 27, 2024

View reviewed changes

Comment thread content/en/docs/reference/command-line-tools-reference/feature-gates/cluster-trust-bundle.md Outdated

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 31, 2025

stlaz changed the base branch from dev-1.32 to main January 31, 2025 14:27

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 31, 2025

stlaz force-pushed the cluster_trust_bundles branch from 131eee4 to 4304cc1 Compare February 5, 2025 15:17

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 5, 2025

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 6, 2025

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 7, 2025

k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 24, 2025

enj suggested changes Jun 24, 2025

View reviewed changes

stlaz force-pushed the cluster_trust_bundles branch from 4304cc1 to 539d7e9 Compare June 25, 2025 11:10

ahmedtd reviewed Jul 23, 2025

View reviewed changes

stlaz mentioned this pull request Aug 20, 2025

Refactor Certificates Documentation #51487

Closed

k8s-ci-robot closed this Aug 20, 2025

k8s-ci-robot reopened this Apr 27, 2026

stlaz added 2 commits April 27, 2026 15:28

KEP-3257 (Cluster Trust Bundles): add a new signer

9ea55e8

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>

review: split the CTB FG info for KAS and KCM

9f625bd

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>

stlaz force-pushed the cluster_trust_bundles branch from 539d7e9 to 9f625bd Compare April 27, 2026 13:28

Conversation

stlaz commented Oct 22, 2024 • edited by sftim Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Issue

Uh oh!

netlify Bot commented Oct 22, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Uh oh!

netlify Bot commented Oct 22, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Pull request preview available for checking

Uh oh!

spurin commented Nov 1, 2024

Uh oh!

sftim commented Nov 15, 2024

Uh oh!

sftim left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

stlaz commented Nov 25, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sftim commented Nov 27, 2024

Uh oh!

stlaz commented Jan 31, 2025

Uh oh!

k8s-triage-robot commented May 6, 2025

Uh oh!

stlaz commented May 7, 2025

Uh oh!

stlaz commented Jun 24, 2025

Uh oh!

enj commented Jun 24, 2025

Uh oh!

k8s-ci-robot commented Jun 24, 2025

Uh oh!

enj left a comment

Choose a reason for hiding this comment

Uh oh!

enj Jun 24, 2025

Choose a reason for hiding this comment

Uh oh!

stlaz Jun 25, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

stlaz commented Jul 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ahmedtd Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

stlaz Jul 24, 2025

Choose a reason for hiding this comment

Uh oh!

stlaz commented Aug 20, 2025

Uh oh!

k8s-ci-robot commented Aug 20, 2025

Uh oh!

stlaz commented Apr 27, 2026

Uh oh!

k8s-ci-robot commented Apr 27, 2026

Uh oh!

k8s-ci-robot commented Apr 27, 2026

Uh oh!

stlaz commented Apr 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

stlaz commented Oct 22, 2024 •

edited by sftim

Loading

netlify Bot commented Oct 22, 2024 •

edited

Loading

netlify Bot commented Oct 22, 2024 •

edited

Loading

stlaz commented Jul 23, 2025 •

edited

Loading