[WIP] An aspirational document on renewing certificates using kubeadm. #9712
Conversation
Commands mentioned do not currently exist.
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
size/L
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit ebe7c3e https://deploy-preview-9712--kubernetes-io-master-staging.netlify.com |
|
@liztio looks good, thanks. do we have an associated issue in |
|
/sig cluster-lifecycle |
k8s-ci-robot
added
the
sig/cluster-lifecycle
|
|
||
| {{% capture steps %}} | ||
|
|
||
| As part of upgrades, `kubeadm` will check all certificates it manages for expiration. |
There was a problem hiding this comment.
Does that means are you planning to change the upgrade process as well? currently, if I remember well it replaces only api server cert older than 180 days
There was a problem hiding this comment.
Oh is that how it works? I was told is was "3 months from expiry," which I was able to prove wasn't the case.
There was a problem hiding this comment.
That is my understanding of this code at least ...
https://github.com/kubernetes/kubernetes/blob/0c8fe56ea41d59b9f795949fbced9fde6ab422eb/cmd/kubeadm/app/phases/upgrade/postupgrade.go#L304
There was a problem hiding this comment.
Agree with @fabriziopandini :)
|
|
||
| [ca creation]: https://github.com/kubernetes/kubernetes/blob/release-1.11/staging/src/k8s.io/client-go/util/cert/cert.go#L72 | ||
|
|
||
| ## Kubelet client certificates |
There was a problem hiding this comment.
@liztio might be I don't have all the info here, but why we need this if we are using Node certificate rotation via CSR auto-approved by the csrapprover controller?
There was a problem hiding this comment.
I need review here from a security engineer. My thinking was a compromised certificate could allow the compromise to continue if we used the same trust paths. But maybe that's not a real risk factor?
| certs bootstrap created. Run `kubeadm phase certs renew kubelet --token <some token> | ||
| ``` | ||
|
|
||
| Run the provided command on all kubelet nodes. This re-bootstraps the trust from the master to the nodes. |
There was a problem hiding this comment.
I wonder if we can automate this now via the dynamic kubelet jiggery.
/cc @mtaufen
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: timothysc If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Thanks for putting this together @liztio! Do you know if there is a way to rotate the certs after the kubeadm one got expired? If yes, it'd be great to have this described in the docs as may people may struggle with this (me in particular 😅) |
| {{% capture steps %}} | ||
|
|
||
| As part of upgrades, `kubeadm` will check all certificates it manages for expiration. | ||
| If they are expiring within the next month, they will be replaced. |
There was a problem hiding this comment.
Does “the next month” mean 30 days or the next natural month?
|
|
||
| {{< warning >}} | ||
|
|
||
| Kubernetes CAs do not support OCSP. |
There was a problem hiding this comment.
Might be good to write the full words of OCSP?
|
|
||
| ``` | ||
| $ kubeadm phase certs renew master | ||
| certs bootstrap created. Run `kubeadm phase certs renew kubelet --token <some token> |
There was a problem hiding this comment.
Missing a ` at the end
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ```
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
|
@liztio 👋 Thanks for this PR! It looks like the last activity here was 18 days ago. Please feel free to reopen this PR when you're ready to address review feedback and drop |
Commands mentioned do not currently exist.
Part of kubernetes/kubeadm#206