From d59e09d9a717d6c279a89c0bf678c311b40d8d72 Mon Sep 17 00:00:00 2001
From: Hannes Baum <hannes.baum@cloudandheat.com>
Date: Mon, 6 Nov 2023 11:33:20 +0100
Subject: [PATCH] fixup! K8s cluster robustness features (#414)

Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
---
 Standards/scs-0215-v1-robustness-features.md | 21 ++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/Standards/scs-0215-v1-robustness-features.md b/Standards/scs-0215-v1-robustness-features.md
index 1c4c5f620..943941bc7 100644
--- a/Standards/scs-0215-v1-robustness-features.md
+++ b/Standards/scs-0215-v1-robustness-features.md
@@ -161,7 +161,13 @@ and rotation of the certificate for the kubelet according to the documentation.
 
 A clusters certificates can either be rotated by updating the cluster, which according to the Kubernetes documentation
 automatically renews the certificates, or by running the kubeadm certs renew command for the certificates that need to
-updated. Since clusters conformant with the SCS standards would probably be updated within a 14 month time period, this
+updated, which can be seen in the following inline code
+
+```bash
+kubeadm certs renew all
+```
+
+Since clusters conformant with the SCS standards would probably be updated within a 14 month time period, this
 rotation can probably be assumed to happen. Nevertheless, the alternative can still be mentioned in the standard.
 Additionally, the CSR needs to be approved manually due to security reasons with the commands
 
@@ -170,6 +176,11 @@ kubectl get csr
 kubectl certificate approve <CSR>
 ```
 
+Another option to approve the CSRs would be to use a third-party controller that automates the process. One example for
+this would be the [Kubelet CSR approver](https://github.com/postfinance/kubelet-csr-approver), which can be deployed on
+a K8s cluster and requires `serverTLSBootstrap` to be set to true. Other controllers with a similar functionality might
+have other specific requirements, which won't be explored in this document.
+
 Another problem is that the Certificate Authority (CA) might expire. Unfortunately, kubeadm doesn't have any tooling
 at the moment to renew the CA. Instead, there is documentation for manually rotating the CA, which can be found
 under [Manual rotation of ca certificate](https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/).
@@ -249,7 +260,11 @@ case of SCS, we REQUIRE at least a yearly certificate rotation.
 To achieve a complete certificate rotation, the parameters `serverTLSBootstrap` and `rotateCertificates` MUST be set.
 
 The certificates can be rotated by either updating the Kubernetes cluster, which automatically
-renews certificates, or by manually renewing them with the `kubeadm certs renew` command.
+renews certificates, or by manually renewing them with the command
+```bash
+kubeadm certs renew all
+```
+
 After this, new CSRs MUST be approved manually, normally done with
 
 ```bash
@@ -257,6 +272,8 @@ kubectl get csr
 kubectl certificate approve <CSR>
 ```
 
+or be approved with a third-party controller, e.g. the [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver).
+
 It is also RECOMMENDED to renew the certificate authority (CA) regularly
 to avoid an expiration of the CA. This standard doesn't set a timeline
 for this, since it is dependent on the CA.