Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

until there is an auth plan tls testing should support insecure #274

Merged
merged 1 commit into from
Mar 21, 2018

Conversation

mikebrow
Copy link
Contributor

@mikebrow mikebrow commented Mar 20, 2018

Over on containerd/cri#681 we added support to containerd/cri and expected that critools would support tls without auth. However, the following error occurs when attempt to run validation:

Mar 19 20:49:18.310: INFO: Unexpected error occurred: error sending request: Post https://10.20.0.36:10010/attach/Vy2abuwM: x509: certificate signed by unknown authority

This commit relaxes the certificate requirement on the server, before an encrypted stream can be started from crictl and critest validate.

We should probably discuss, and/or open an issue to discuss, security requirements for streaming for the CRI API.

@Random-Liu

Signed-off-by: Mike Brown [email protected]

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 20, 2018
@Random-Liu Random-Liu self-assigned this Mar 20, 2018
@Random-Liu
Copy link
Contributor

Random-Liu commented Mar 21, 2018

Discussed with @tallclair, today the behavior of streaming authentication is not defined in CRI yet. And at least apiserver on GCE doesn't actually validate the certificate. I think it makes sense to skip the certificate validation in CRI validation test for now, until this is defined in CRI.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 21, 2018
@Random-Liu Random-Liu merged commit 207e773 into kubernetes-sigs:master Mar 21, 2018
@feiskyer
Copy link
Member

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants