Kubeadm "init" via a Root CA #1631
Comments
k8s-ci-robot
added
the
kind/feature
neolit123
added
area/security
priority/awaiting-more-evidence
the problem needs a better definition. could you provide more detail? what prevents CAPI to copy the root CA to the primary
this change in the in-tree controller might not make it in, or it might after 1-2 years of discussion. /assign @detiber @vincepri |
Copying the certificates to the primary nodes is what CAPA/CAPV does currently, however, the method used to get the keys on the host is insecure (user-data) and starts creating other issues around user-data size limitations (kubernetes-sigs/cluster-api-provider-aws#847 (comment)) This doesn't strictly need to be done in kubeadm, it could be implemented in a "wrapper" around kubeadm or via something like SPIRE
I agree, the only reason I would even suggest doing it in k/k, is to not add any dependencies for kubeadm - after thinking about it kubeadm could just fallback to using a single root CA (with a warning that cross-talk between clusters will be possible) |
it does seem like a problem that can be resolved higher up the stack. |
|
closing as something that can be resolved by tools wrapping kubeadm. |
/kind feature request
The new
--upload-certsoption is great for joining additional control plane nodes, but it doesn't solve the problem of securely distributing certificates for use cases like Cluster API.I think this could be solved by turning the problem around, and rather than distributing certificates followed a typical CSR model.
kubeadm --init --token <> --management-api-server <>--cafilesI think this will also need changes to k/k Certificate Controller to support more than 1 root CA, or an out of tree controller.
The text was updated successfully, but these errors were encountered: