Support certificate rotation #206
Comments
|
See also kubernetes/kubernetes#4672 |
luxas
added
area/security
kind/tracking-issue
priority/important-longterm
|
@timothysc @pipejakob @mikedanese @jcbsmpsn @jbeda |
|
I think there are still a few steps left to accomplishing this:
Remaining:
All these might be a stretch for 1.8. |
|
/assign @jcbsmpsn |
|
Sub-goal of v1.8 is getting kubelet client cert rotation enabled, ref #386 |
|
It would be cool if somehow this could be configured to run automatically, via cron or something like that, like Docker Swarm mode does. Swarm mode is constantly refreshing certificates, which, to be fair, has its own set of tradeoffs (example: if a worker node panics/partitions and stops refreshing certs for a while, it's locked out of the cluster. not sure if it still happens, but that was one issue we ran into when the feature was new) |
|
@nathanleclaire Not sure what you mean. When certificate rotation is enabled it does rotate the certificates automatically. Currently only the certificate used by the node is done. More work to do for other certificates used by Kubernetes. |
|
@jcbsmpsn Ah, cool. Still catching up on all the fast-moving new Kube stuff :) |
|
Now that kubelet supports auto-rotation, should we enable this feature gate in 1.9? Would we also need to feature gate it? If so, maybe we can make it generic (e.g. |
|
We already enable kubelet client cert autorotation. We'll enable kubelet servingcert rotation if possible in v1.9 |
Not possible yet AFAIK. In the interim we'll do #548 |
|
Ideally we could have a phase command to help rotate. |
|
Suggested MVP is that you would run the |
|
Related to kubelet server certs, once the kubelet uses a kube-issued server cert instead of the current self-signed server cert, then the kube-apiserver also needs |
|
/assign @liztio |
timothysc
added
priority/important-soon
liztio
added
the
lifecycle/active
|
I've done some testing on the client cert upgrades. My methodology:
Based on my reading of the merged features, I should've seen a new certificate for the client node be issued, but so far that hasn't happened. I'll look into this in more detail tomorrow. |
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ```
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. Kubeadm Cert Renewal **What this PR does / why we need it**: adds explicit support for renewal of certificates via command **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#206 **Special notes for your reviewer**: The targeted documentation is at kubernetes/website#9712 **Release note**: ```release-note Adds the commands `kubeadm alpha phases renew <cert-name>` ``` Kubernetes-commit: 17dde46baebe0b67421132af7b99b42d89ea4cd0
[FEATURE REQUEST]
We need some way to rotate certificates. Right now we mint certs that expire after 1 year and we have no built in provision to rotate them.
We should either have components manage rotating their own certificates (and writing the certs back to the kubeconfig) or have a way to easily do this from the outside without disrupting a running cluster. Notifying users when rotation is necessary should be part of our design here too.
The text was updated successfully, but these errors were encountered: