enable kubelet client certificate rotation #4081
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
size/XS
LuckySB
force-pushed
the
kubelet_rotate_certificate
branch
from
c436b3e to
82fb806
Compare
|
ci check this |
|
/assign @mirwan |
dannyk81
reviewed
Jan 26, 2019
|
/assign @riverzhang |
|
I don't disagree, but given that this is a configurable parameter in
kubeadm, it would be a best practice to include it as a configurable flag
in Kubespray as well with a default to true (which as you suggested would
make sense for most use cases).
Just my 2 cents.
…On Sat, 26 Jan 2019 at 13:55, Sergey ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
<#4081 (comment)>
:
> @@ -28,6 +28,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
{% endif %}
--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
--client-ca-file={{ kube_cert_dir }}/ca.crt \
+--rotate-certificates=true \
I can not imagine a situation where it will be necessary not to renew
certificates.
With the goal after 1 year to get broken cluster
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4081 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AXJk7PUV99_OTgkGhk2M79KrYb9E9-3fks5vHKS1gaJpZM4aLutK>
.
|
ok. |
dannyk81
reviewed
Jan 28, 2019
|
ci check this |
|
This might need a rebase to pick up CI changes |
LuckySB
force-pushed
the
kubelet_rotate_certificate
branch
from
29ac188 to
fc3eb5c
Compare
rebased |
|
@chadswen is this planned to be merged? seems like an important option to have. |
|
merge please |
woopstar
reviewed
Apr 3, 2019
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LuckySB, woopstar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
up |
b23prodtm
added a commit
to b23prodtm/kubespray
that referenced
this pull request
Apr 7, 2019
* fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Yamllint fixes (kubernetes-sigs#4410) * Lint everything in the repository with yamllint * yamllint fixes: syntax fixes only * yamllint fixes: move comments to play names * yamllint fixes: indent comments in .gitlab-ci.yml file * add 1.14.0 checksum, remove 1.11.* checksums (kubernetes-sigs#4401) * Remove kubedns and dnsmasq. Move dns_late phase after apps (kubernetes-sigs#4406) Both kubedns and dnsmasq modes are long not maintained. We should run dns_late steps at the end because sshd makes DNS lookups during Ansible run and has 2s timeouts for each failed lookup trying to connect to coredns before it is ready. * Speed up old docker package removal (kubernetes-sigs#4408) Both the `yum` and `apt` modules support a list as input, this allows us avoid the slower `with_items` approach, which can take a long time with a large count of cluster nodes. * Use install_cni init container for cni copy for calico/canal (kubernetes-sigs#4416) * Fixed cleanup-docker-orphans.sh to use docker-containerd-shim and containerd-shim (kubernetes-sigs#4418) * enable kubelet client certificate rotation (kubernetes-sigs#4081) * enable kubelet client certificate rotation * change to variable kubelet_rotate_certificates * remove our config if docker start failed (kubernetes-sigs#4260) * keep compatibility as it was before (kubernetes-sigs#4268) * jmespath is required when re-running cluster.yml (kubernetes-sigs#4426) * Update DNS Autoscaler to 1.4.0 (kubernetes-sigs#4425) * Update DNS Autoscaler * Update downloads too * Fix yamllint * Fix yamllint * Update nodelocaldns cache settings (kubernetes-sigs#4423) * Update CoreDNS to 1.4.0 (kubernetes-sigs#4422) * Update CoreDNS to 1.4.0 * Update readme to reflect CoreDNS update * Use docker.io for calico (kubernetes-sigs#4253) * Add CI for contrib/terraform/ (kubernetes-sigs#4133) * add Cinder allowVolumeExpansion option (kubernetes-sigs#4415) * allow Suse OS family (kubernetes-sigs#4430) * Remove bash-completion (kubernetes-sigs#4431) * Tell git to ignore .terraform directory (kubernetes-sigs#4428) The .terraform directory is populated when modules are downloaded: https://www.terraform.io/docs/commands/get.html "The modules are downloaded into a local .terraform folder. This folder should not be committed to version control." * Fix pep8 warnings (kubernetes-sigs#4368) * Update premoderator to fix Github API throttle (kubernetes-sigs#4424) * Update premoderator to fix Github API throttle * Update premoderator script Add exit codes and document the exit code. * Fix indentation
b23prodtm
added a commit
to b23prodtm/kubespray
that referenced
this pull request
Apr 7, 2019
* fix(contrib/metallb): adds missing become: true in role (kubernetes-sigs#4356) On CoreOS, without this, it fails to kubectl apply MetalLB due to lack of privileges. * Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354) * Use sample inventory file in doc (kubernetes-sigs#4052) * Revert "Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)" (kubernetes-sigs#4369) This reverts commit ea7a6f1. This change modified the certs dir for Kubernetes, but did not move the directories for existing clusters. * Fix support for ansible 2.7.9 (kubernetes-sigs#4375) * Use wide for netchecker debug output (kubernetes-sigs#4383) * Added support of bastion host for reset.yaml (kubernetes-sigs#4359) * Added support of bastion host for reset.yaml * Empty commit to triger CI * Use proxy_env with kubeadm phase commands (kubernetes-sigs#4325) * clarify that kubespray now supports kubeadm (fixes kubernetes-sigs#4089) (kubernetes-sigs#4366) * Reduce jinja2 filters in coredns templates (kubernetes-sigs#4390) * Upgrade to k8s 1.13.5 * Increase CPU flavor for CI (kubernetes-sigs#4389) * Fix CA cert environment variable for ectd v3 (kubernetes-sigs#4381) * Added livenessProbe for local nginx apiserver proxy liveness probe (kubernetes-sigs#4222) * Added configurable local apiserver proxy liveness probe * Enable API LB healthcheck by default * Fix template spacing and moved healthz location to nginx http section * Fix healthcheck listen address to allow kubelet request healthcheck * Default values for variable dns_servers and dns_domain are set in two files: (kubernetes-sigs#3999) values from inventory in roles/kubespray-defaults/defaults/main.yml hardcoded values in roles/container-engine/defaults/main.yml dns_servers set empty in roles/container-engine/defaults/main.yml and skydns_server not set in docker_dns_servers variables also set default value for manual_dns_serve another variables in roles/container-engine/defaults not need to set * Fix bootsrap-os role, failing to create remote_tmp (kubernetes-sigs#4384) * Fix bootsrap-os role, failing to create remote_tmp * use ansible_remote_tmp hostvar * Use static files in KubeDNS templating task (kubernetes-sigs#4379) This commit adapts the "Lay Down KubeDNS Template" task to use the static files moved by pull request [1] [1] kubernetes-sigs#4341 * Fix supplementary_addresses rendering error (kubernetes-sigs#4403) * Corrected cloud name (kubernetes-sigs#4316) The correct name is Packet, not Packet Host. * adapt inventory script to python 2.7 version (kubernetes-sigs#4407) * Calico felix - Fix jinja2 boolean condition (kubernetes-sigs#4348) * Fix jinja2 boolean condition * Convert all felix variable to booleans instead. * Yamllint fixes (kubernetes-sigs#4410) * Lint everything in the repository with yamllint * yamllint fixes: syntax fixes only * yamllint fixes: move comments to play names * yamllint fixes: indent comments in .gitlab-ci.yml file * add 1.14.0 checksum, remove 1.11.* checksums (kubernetes-sigs#4401) * Remove kubedns and dnsmasq. Move dns_late phase after apps (kubernetes-sigs#4406) Both kubedns and dnsmasq modes are long not maintained. We should run dns_late steps at the end because sshd makes DNS lookups during Ansible run and has 2s timeouts for each failed lookup trying to connect to coredns before it is ready. * Speed up old docker package removal (kubernetes-sigs#4408) Both the `yum` and `apt` modules support a list as input, this allows us avoid the slower `with_items` approach, which can take a long time with a large count of cluster nodes. * Use install_cni init container for cni copy for calico/canal (kubernetes-sigs#4416) * Fixed cleanup-docker-orphans.sh to use docker-containerd-shim and containerd-shim (kubernetes-sigs#4418) * enable kubelet client certificate rotation (kubernetes-sigs#4081) * enable kubelet client certificate rotation * change to variable kubelet_rotate_certificates * remove our config if docker start failed (kubernetes-sigs#4260) * keep compatibility as it was before (kubernetes-sigs#4268) * jmespath is required when re-running cluster.yml (kubernetes-sigs#4426) * Update DNS Autoscaler to 1.4.0 (kubernetes-sigs#4425) * Update DNS Autoscaler * Update downloads too * Fix yamllint * Fix yamllint * Update nodelocaldns cache settings (kubernetes-sigs#4423) * Update CoreDNS to 1.4.0 (kubernetes-sigs#4422) * Update CoreDNS to 1.4.0 * Update readme to reflect CoreDNS update * Use docker.io for calico (kubernetes-sigs#4253) * Add CI for contrib/terraform/ (kubernetes-sigs#4133) * add Cinder allowVolumeExpansion option (kubernetes-sigs#4415) * allow Suse OS family (kubernetes-sigs#4430) * Remove bash-completion (kubernetes-sigs#4431) * Tell git to ignore .terraform directory (kubernetes-sigs#4428) The .terraform directory is populated when modules are downloaded: https://www.terraform.io/docs/commands/get.html "The modules are downloaded into a local .terraform folder. This folder should not be committed to version control." * Fix pep8 warnings (kubernetes-sigs#4368) * Update premoderator to fix Github API throttle (kubernetes-sigs#4424) * Update premoderator to fix Github API throttle * Update premoderator script Add exit codes and document the exit code. * Fix indentation * Upgrade to Helm 2.13.1 (kubernetes-sigs#4445)
LuckySB
added a commit
to southbridgeio/kubespray
that referenced
this pull request
Apr 9, 2019
* enable kubelet client certificate rotation * change to variable kubelet_rotate_certificates
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
kubeadm generate certificate only on 1 year, and we need to renew it
kubeadm enable kubelet certificate rotation by default
kubernetes/kubernetes#52196
but kubespray generate own kubelet.env file with config parameters without enabled certificate rotations
so add --rotate-certificates to kubelet config