Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotate kubelet self-signed certificate #7322

Closed
wants to merge 1 commit into from
Closed

Rotate kubelet self-signed certificate #7322

wants to merge 1 commit into from

Conversation

champtar
Copy link
Contributor

Looking at k8s code I can only see code generating kubelet
self-signed cert but nothing rotating it.
https://github.com/kubernetes/kubernetes/blob/e7cc2117a02bc5c74a8235a2725834b1841c459e/cmd/kubelet/app/server.go#L985-L990

Just delete the cert and let kubelet recreate it

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes kubernetes/kubernetes#99418

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kubelet.service systemd unit now deletes /var/lib/kubelet/pki/kubelet.{crt,key} on startup. This allow to rotate this self-signed certicate auto generated by kubelet on startup.

@champtar
Rotate kubelet self-signed certificate
1138f0c 
Looking at k8s code I can only see code generating kubelet
self-signed cert but nothing rotating it.
https://github.com/kubernetes/kubernetes/blob/e7cc2117a02bc5c74a8235a2725834b1841c459e/cmd/kubelet/app/server.go#L985-L990

Just delete the cert and let kubelet recreate it

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 24, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: champtar
To complete the pull request process, please assign mattymo after the PR has been reviewed.
You can assign the PR to them by writing /assign @mattymo in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 24, 2021
@champtar
Copy link
Contributor Author

/hold let's wait for comment in the k8s ticket

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 24, 2021
@floryut
Copy link
Member

floryut commented Feb 25, 2021

Btw why do you do that when kubelet_rotate_server_certificates is set to false ?

@champtar champtar mentioned this pull request Mar 3, 2021
Closed
fourstepper
fourstepper reviewed Mar 11, 2021
View reviewed changes
roles/kubernetes/node/templates/kubelet.service.j2
@@ -11,6 +11,9 @@ Wants={{ container_manager }}.service
[Service]
User=root
EnvironmentFile=-{{ kube_config_dir }}/kubelet.env
{% if not kubelet_rotate_server_certificates %}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to handle this like this:

{% if kubelet_rotate_server_certificates | default(false) %}

unless the policy is to have everything defined in defaults - even then, this would be a safe choice

EDIT: unless the default should be true, of course

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kubelet_rotate_server_certificates already exists to enable RotateKubeletServerCertificate
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation
We can't enable it by default because k8s doesn't approve kubelet CSR by default for security reasons, so you need some extra components

When it's disabled, kubelet generate a self-signed cert that is never regenerated. This is not really a problem because it's not checked at all.
The idea of this PR was to delete this self-signed cert so it's regenerated, but not sure it really provide any value

@champtar champtar closed this Mar 23, 2021
@champtar champtar deleted the rotatekubeletselfsigned branch March 23, 2021 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fourstepper fourstepper fourstepper left review comments

@holmsten holmsten Awaiting requested review from holmsten

@oomichi oomichi Awaiting requested review from oomichi

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/feature Categorizes issue or PR as related to a new feature. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

self-signed kubelet server certificate is never renewed
4 participants
@champtar @k8s-ci-robot @floryut @fourstepper