-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] An aspirational document on renewing certificates using kubeadm. #9712
Conversation
Commands mentioned do not currently exist.
Deploy preview for kubernetes-io-master-staging ready! Built with commit ebe7c3e https://deploy-preview-9712--kubernetes-io-master-staging.netlify.com |
@liztio looks good, thanks. do we have an associated issue in |
/sig cluster-lifecycle |
|
||
{{% capture steps %}} | ||
|
||
As part of upgrades, `kubeadm` will check all certificates it manages for expiration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does that means are you planning to change the upgrade process as well? currently, if I remember well it replaces only api server cert older than 180 days
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh is that how it works? I was told is was "3 months from expiry," which I was able to prove wasn't the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is my understanding of this code at least ...
https://github.com/kubernetes/kubernetes/blob/0c8fe56ea41d59b9f795949fbced9fde6ab422eb/cmd/kubeadm/app/phases/upgrade/postupgrade.go#L304
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with @fabriziopandini :)
|
||
[ca creation]: https://github.com/kubernetes/kubernetes/blob/release-1.11/staging/src/k8s.io/client-go/util/cert/cert.go#L72 | ||
|
||
## Kubelet client certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liztio might be I don't have all the info here, but why we need this if we are using Node certificate rotation via CSR auto-approved by the csrapprover controller?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need review here from a security engineer. My thinking was a compromised certificate could allow the compromise to continue if we used the same trust paths. But maybe that's not a real risk factor?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Generally lgtm other then we might want to call out some of our slack conversations on default expiration times.
certs bootstrap created. Run `kubeadm phase certs renew kubelet --token <some token> | ||
``` | ||
|
||
Run the provided command on all kubelet nodes. This re-bootstraps the trust from the master to the nodes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we can automate this now via the dynamic kubelet jiggery.
/cc @mtaufen
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: timothysc If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for putting this together @liztio! Do you know if there is a way to rotate the certs after the kubeadm one got expired? If yes, it'd be great to have this described in the docs as may people may struggle with this (me in particular 😅) |
{{% capture steps %}} | ||
|
||
As part of upgrades, `kubeadm` will check all certificates it manages for expiration. | ||
If they are expiring within the next month, they will be replaced. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does “the next month” mean 30 days or the next natural month?
|
||
{{< warning >}} | ||
|
||
Kubernetes CAs do not support OCSP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be good to write the full words of OCSP?
|
||
``` | ||
$ kubeadm phase certs renew master | ||
certs bootstrap created. Run `kubeadm phase certs renew kubelet --token <some token> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing a ` at the end
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ```
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
@liztio 👋 Thanks for this PR! It looks like the last activity here was 18 days ago. Please feel free to reopen this PR when you're ready to address review feedback and drop |
Commands mentioned do not currently exist.
Part of kubernetes/kubeadm#206