Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency in doc for kube-apiserver-etcd-client Certificate O=system:masters requirement #42724

Closed
nnlkcncff opened this issue Aug 25, 2023 · 7 comments · Fixed by #42942
Closed

Inconsistency in doc for kube-apiserver-etcd-client Certificate O=system:masters requirement #42724

nnlkcncff opened this issue Aug 25, 2023 · 7 comments · Fixed by #42942
Labels
language/en Issues or PRs related to English language needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.

Comments

@nnlkcncff
Copy link
Contributor

https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates

According to the documentation, the kube-apiserver-etcd-client certificate requires O=system:masters, but how can it be needed if etcd doesn't take this into account?

Perhaps O=system:masters should be removed for the kube-apiserver-etcd-client certificate and then I can create an issue on the kubeadm repo like like the one I created earlier.
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Aug 25, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dipesh-rawat
Copy link
Member

Page related to issue: https://kubernetes.io/docs/setup/best-practices/certificates/
/language en

@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Aug 25, 2023
@dipesh-rawat
Copy link
Member

/retitle Inconsistency in doc for kube-apiserver-etcd-client Certificate O=system:masters requirement
/sig cluster-lifecycle

@k8s-ci-robot k8s-ci-robot changed the title need O=system:masters for kube-apiserver-etcd-client Inconsistency in doc for kube-apiserver-etcd-client Certificate O=system:masters requirement Aug 25, 2023
@k8s-ci-robot k8s-ci-robot added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label Aug 25, 2023
@sftim
Copy link
Contributor

sftim commented Aug 26, 2023

/sig api-machinery auth

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Aug 26, 2023
@neolit123
Copy link
Member

Perhaps O=system:masters should be removed for the kube-apiserver-etcd-client certificate and then I can create an issue on the kubeadm repo like like the one I created earlier.

+1
PRs welcome
thanks

@nnlkcncff
Copy link
Contributor Author

@neolit123, sorry but I don't understand what do you mean — just agreement or confirmation about what should be done? :)
You seem to confirm that O=system:masters is indeed not required in the kube-apiserver-etcd-client certificate certificate, but I'm not sure because there are still no updates in the issue and the documentation is still not changed. So, I can't figure out if I should create an issue in the kubeadm repository.

@neolit123
Copy link
Member

yes, you can log the issue in k/kubeadm.
in terms of updating the docs, i said "prs welcome", thus if you l'd like to help us you can send the docs change / pull request.

This was referenced Sep 7, 2023
Merged
Closed
@SataQiu SataQiu mentioned this issue Sep 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
language/en Issues or PRs related to English language needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

remove "O=system:masters" from "kube-apiserver-etcd-client".md
5 participants
@neolit123 @dipesh-rawat @k8s-ci-robot @sftim @nnlkcncff