kubeadm: add guide for kubelet serving certs and metrics-server #27071
Conversation
k8s-ci-robot
added
sig/cluster-lifecycle
k8s-ci-robot
requested review from
fabriziopandini,
randomvariable,
kbarnard10 and
rajeshdeshpande02
k8s-ci-robot
added
language/en
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 30c6e77 https://deploy-preview-27071--kubernetes-io-master-staging.netlify.app |
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
Outdated
Show resolved
Hide resolved
content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
Show resolved
Hide resolved
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
neolit123
force-pushed
the
1.21-add-kubelet-serving-cert-guide
branch
2 times, most recently
from
f6a9a3a
to
3de80b5
Compare
|
updated to address the review comments. |
| Third party custom controllers can be used: | ||
| - [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp) | ||
|
|
||
| Such a controller is not a secure mechanism unless it not only verifies the CommonName | ||
| in the CSR but also verifies the requested IPs and domain names. This would prevent | ||
| a malicious actor that has access to a kubelet client certificate to create | ||
| CSRs requesting serving certificates for any IP or domain name. |
There was a problem hiding this comment.
I don't think we should express options on external project; TBH I would avoid the link entirely but I don't want to block on this
There was a problem hiding this comment.
@sftim and randomvariable seem to be fine with mentioning this third-party option.
for cloud provider scenarios we already tell users to consult their provider.
users that don't trust this would have to either use a different rubber-stamp or write their own controller / DS / scripts.
|
@neolit123: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
Needs a rebase, but assuming the obvious approach to rebasing: LGTM. |
neolit123
force-pushed
the
1.21-add-kubelet-serving-cert-guide
branch
from
3de80b5
to
1434983
Compare
k8s-ci-robot
removed
the
needs-rebase
|
rebased. /cc @fabriziopandini |
content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
Outdated
Show resolved
Hide resolved
| - Find and edit the `kubelet-config-x.yy` ConfigMap under `kube-system` to include | ||
| the field `serverTLSBootstrap: true` under the `config` key |
There was a problem hiding this comment.
We could also write:
| - Find and edit the `kubelet-config-x.yy` ConfigMap under `kube-system` to include | |
| the field `serverTLSBootstrap: true` under the `config` key | |
| - Find and edit the `kubelet-config-{{< skew latestVersion >}}` ConfigMap in the `kube-system` namespace. | |
| In that ConfigMap, the `config` key has a | |
| [kubelet configuration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration) document as | |
| its value. Edit the kubelet configuration document to set `serverTLSBootstrap: true`. |
(untested!)
- maybe in a follow-up PR?
There was a problem hiding this comment.
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ recommends changing the ConfigMap that kubelets use (a different name); is that advice related to what's recommended here?
There was a problem hiding this comment.
maybe in a follow-up PR?
updated in this PR.
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ recommends changing the ConfigMap that kubelets use (a different name); is that advice related to what's recommended here?
kubeadm uses a single ConfigMap, so need to introduce a new ConfigMap with a different name.
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 7026c4a74d5a963e5d7e1975c03ed0b156e6f363
|
Include a new section of the kubeadm certificate management page to talk about kubelet serving certificates and how to make them signed. Also include a note about using secure connection with the metrics-server.
neolit123
force-pushed
the
1.21-add-kubelet-serving-cert-guide
branch
from
1434983
to
30c6e77
Compare
k8s-ci-robot
removed
the
lgtm
|
@sftim |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kbhawkey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 59c4229345bb7edcf59b4501db23c61b8575a2f1
|
note: targeting the
masterbranch is accurate for this change.Include a new section of the kubeadm certificate management page
to talk about kubelet serving certificates and how to make
them signed. Also include a note about using secure connection
with the metrics-server.
fixes kubernetes/kubeadm#1602
/sig cluster-lifecycle