Allow cluster-signing-duration
to be set in Shoot
spec
#9136
Labels
area/security
Security related
area/usability
Usability related
kind/enhancement
Enhancement, improvement, extension
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
How to categorize this issue?
/area security
/area usability
/kind enhancement
What would you like to be added:
Since #5096 gardener sets the
kube-controller-manager
flag--cluster-signing-duration
to720h
. Even when aCertificateSigningRequest
with a largerspec.expirationSeconds
is given, the generated cert is only valid for30d
. Upstream default is 8760h (1y).We would like to introduce a new field in the
Shoot
spec to make that configurable, and keep the default at720h
.Why is this needed:
User is trying to generate certificate based kubeconfigs with their own RBAC by basically doing the steps from
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user and don't want to renew that every 30 days. They feel limited by the gardener default compared to other kubernetes solutions they are using, and ask us to at least allow the upstream default of 1 year.
It appears to me the motivation of #5096 was to reduce the kubelets certificate lifetime as it is auto-renewing anyway, and there is no way for the
kubelet
to request a shorter expiration independent of this global "maximum" setting right now. So people would also changekubelet
behavior even if they only care about their own CSRs. Arguably that is worse for security, but I would still let them make that decision.The text was updated successfully, but these errors were encountered: