Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-apiserver-etcd-client shouldn't have O=system:masters #2926

Closed
nnlkcncff opened this issue Sep 7, 2023 · 4 comments · Fixed by kubernetes/kubernetes#120521 or kubernetes/website#42942
Closed

kube-apiserver-etcd-client shouldn't have O=system:masters #2926

nnlkcncff opened this issue Sep 7, 2023 · 4 comments · Fixed by kubernetes/kubernetes#120521 or kubernetes/website#42942
Assignees
@SataQiu
Labels
area/pki PKI and certificate related issues kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. priority/backlog Higher priority than priority/awaiting-more-evidence.
Milestone
v1.29

Comments

@nnlkcncff
Copy link

Versions

kubeadm version --output short
v1.27.3

kubectl version --short
Client Version: v1.27.3

# cloud provider: n/a

cat /etc/os-release
PRETTY_NAME="Ubuntu 23.04"

uname -a
Linux master-1 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

containerd --version
containerd github.com/containerd/containerd v1.7.2 0cae528dd6cb557f7201036e9f43420650207b58

# CNI: calico

What happened?

The kube-apiserver-etcd-client certificate is created as specified in the documentation, but this issue proved that this is not as it should be.

What you expected to happen?

The kube-apiserver-etcd-client certificate should be created without O=system:masters, because etcd doesn't take this into account.

How to reproduce it (as minimally and precisely as possible)?

kubeadm init
@SataQiu
Copy link
Member

SataQiu commented Sep 8, 2023

/assign
Will have a look.

@neolit123 neolit123 added this to the v1.29 milestone Sep 8, 2023
@neolit123 neolit123 added priority/backlog Higher priority than priority/awaiting-more-evidence. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. area/pki PKI and certificate related issues labels Sep 8, 2023
@SataQiu SataQiu mentioned this issue Sep 8, 2023
Merged
1 task
@neolit123
Copy link
Member

@SataQiu would like to also send the k/website change?

@SataQiu
Copy link
Member

SataQiu commented Sep 8, 2023
edited
Loading

@SataQiu would like to also send the k/website change?

Yes, I will do it after this PR(kubernetes/kubernetes#120521) is merged.

@neolit123 neolit123 reopened this Sep 8, 2023
This was referenced Sep 8, 2023
Closed
Merged
@neolit123
Copy link
Member

same issue for the apiserver-kubelet-client.crt
kubernetes/kubernetes#121837
kubernetes/website#43870

@SataQiu SataQiu mentioned this issue Nov 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SataQiu SataQiu

Labels
area/pki PKI and certificate related issues kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
v1.29
3 participants
@neolit123 @SataQiu @nnlkcncff