Security Self Assessment: [STRIDE-INFODISCLOSE-3] RFE: Improve certificate management in Cluster API #5490
Comments
k8s-ci-robot
added
kind/feature
vincepri
changed the title
|
/milestone v1.1 |
|
/priority important-soon |
k8s-ci-robot
added
the
priority/important-soon
|
I agree with the sentiment, but I also think simple changes to kubeadm defaults would go a long way. cc @neolit123 |
|
My take is that the default of 1 year is sane WRT keys sizes, RSA
recommendations and k8s release cadence. Higher level tools have multiple
options.
- preping certs that are longer lived by signing kubeadm generated CSRs for
multiple years.
- having a controller that rotates certs and restarts nodes / components
programmatically in the right sequence.
|
|
/area kcp |
|
@randomvariable: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/area ? |
|
@randomvariable: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/area control-plane |
k8s-ci-robot
added
the
area/control-plane
|
@PushkarJ it would be good to get feedback from security folk. |
|
+1 Agree that it would be fantastic to get this as a built-in feature in CAPI. CA hierarchy and CAPI cluster hierarchy also lends itself several benefits of simplicity in how we could manage the root of trust. However, it might be helpful to understand what problem we are trying to solve (which might be well-known but is worth re-iterating in detail) by sharing the current state and its drawbacks. Is this were Cluster API Enhancement Proposal would come into picture that elaborates more on motivations, current state, its drawbacks and future state? |
I don't think there's anything more to add from a provider specific PoV. At least if we consider the possibility of leveraging cert-manager for generation, then we can defer provider specific implementations to it. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
|
Security Self Assessment: [STRIDE-INFODISCLOSE-3] RFE: Improve certificate management in Cluster API |
|
/retitle Security Self Assessment: [STRIDE-INFODISCLOSE-3] RFE: Improve certificate management in Cluster API |
k8s-ci-robot
changed the title
k8s-ci-robot
added
area/security
|
I've created a separate issue to track machine certificate renewal specifically: #6529 |
fabriziopandini
added
the
triage/accepted
fabriziopandini
removed
the
triage/accepted
|
/unassign |
k8s-ci-robot
added
the
triage/accepted
|
@fabriziopandini the linked PR does look promising. We can close this with the usual caveat that if somebody feels like there is something left in the scope that is not covered in the new feature docs, we should reopen the issue. |
|
Thanks @PushkarJ ! |
|
@fabriziopandini: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
User Story
As a user/operator I would like to have control on how certificates are created
As a user/operator I would like to have visibility on certificate expiration date
As a user/operator I would like CAPI to support me in certificate lifecycle management
As a user/operator I would like to have the option to rely on external tools for certificate management
Detailed Description
As of today Cluster API provide a minimal support for certificate management, mostly util for management of secrets with certificate authorities, while over time the responsibility of creating certificates has been delegated to control plane providers.
While this approach worked well, some shortcomings are starting to surface, mostly boiling up to the fact that there is no top level certificate management primitives in our API, and this makes it difficult and fragmented the answer to:
Last but not least, CAPI leaks of a clean interface for integrating with external tools for certificate management, like e.g Hashicorp Vault.
This issue is about starting an effort for rethinking this area, and providing a clean solution for addressing above concerns starting from the two issues that mostly concern users, that are better support for certificate renewal and CA rotation tasks
/kind feature
/kind proposal
@randomvariable to add more from a provider PoV
The text was updated successfully, but these errors were encountered: