Rotate kubelet server certificate. #6453
Conversation
k8s-ci-robot
added
kind/feature
|
Hi @vrlo. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/S
vrlo
force-pushed
the
kubelet-servertlsbootstrap
branch
from
6d55de1 to
910d9d5
Compare
k8s-ci-robot
added
the
do-not-merge/work-in-progress
vrlo
force-pushed
the
kubelet-servertlsbootstrap
branch
3 times, most recently
from
9813a93 to
b69b881
Compare
vrlo
force-pushed
the
kubelet-servertlsbootstrap
branch
from
b69b881 to
714e8c2
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
| @@ -195,7 +195,10 @@ apiServer: | |||
| {% endif %} | |||
There was a problem hiding this comment.
Weird that the break line above is mandatory not to break the build
There was a problem hiding this comment.
yes, otherwise event-ttl line ends up at the end of the previous line
|
Should this be enabled in one CI test job ? |
That would be wise. Which test would you suggest cloning/editing? |
I would say |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
the
size/M
vrlo
force-pushed
the
kubelet-servertlsbootstrap
branch
from
cf71721 to
320afc4
Compare
|
Nice @vrlo :) |
k8s-ci-robot
added
the
lgtm
|
Why not have it as default enabled? |
|
I can answer myself, because it requires csr approval. |
| fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found | ||
|
|
||
| - name: Approve certificates | ||
| command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}" |
There was a problem hiding this comment.
I don't really like how this is implemented. What I was expecting in this PR was the following:
1 - needed vars
2 - logic to enable cert renewal in kubelet config
3 - renewal logic
What I see here is kubectl get csr/kubectl certificate approve in the tests directory, not part of the actual Kubespray core Ansible playbook. Why can't we put this in kubernetes/kubeadm role directly and run it on the first controller?
From a security perspective, we should filter csrs for those that belong to nodes we know about from inventory, rather than blindly approving all.
There was a problem hiding this comment.
Thanks for the review.
ad 1 - there's var kubelet_rotate_server_certificates that is documented
ad 2 - that's kubelet config parameter ServerTLSBootstrap
ad 3 - both bootstrap and renewal are handled by kubelet when the parameter in 2 is set
I would recommend not putting approval logic in kubespray. There is a reason why serving certificates aren't automatically approved by CSR approving controller like client certificates are. Cluster admin is supposed to manually approve them (or implement a custom approving controller). In any case, approvals are not in scope of this PR. That is why the functionality is disabled by default and the docs warn about the caveat.
Regarding blind approvals in the test, that part takes the role of the cluster admin manually approving certificates and was added just to pass the test which failed otherwise (kubectl exec couldn't connect to the kubelet which was missing the serving certificate).
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mattymo, vrlo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* 'master' of https://github.com/kubernetes-sigs/kubespray: Add protectKernelDefaults option (default true) to kubelet config file (kubernetes-sigs#6611) Rotate kubelet server certificate. (kubernetes-sigs#6453) Add snapshot-controller for CSI drivers and snapshot CRDs, add a default volumesnapshotclass when running cinder CSI (kubernetes-sigs#6537) Calico: update crds to v1 and cr (kubernetes-sigs#6360) Fix E306 in roles/network_plugin (kubernetes-sigs#6516)
* Rotate kubelet server certificate. * CI test kubelet server cert rotation * Approve kubelet serving certificates in tests.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds support for kubelet server certificate rotation.
Which issue(s) this PR fixes:
Fixes #6449
Special notes for your reviewer:
New variable
kubelet_rotate_server_certificates, when true, sets kubelet config parameterserverTLSBootstrapto true and kubeadm's apiserver parameterkubelet-certificate-authorityto the default ca location.Does this PR introduce a user-facing change?: