-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: add guide for kubelet serving certs and metrics-server #27071
kubeadm: add guide for kubelet serving certs and metrics-server #27071
Conversation
Deploy preview for kubernetes-io-master-staging ready! Built with commit 30c6e77 https://deploy-preview-27071--kubernetes-io-master-staging.netlify.app |
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Some feedback. I'm not sure about the heading “Cannot use the metrics-server securely in a kubeadm cluster” and also I'd like to include a 3rd party content warning for kubelet-rubber-stamp
.
Plus a few less important details.
content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
Outdated
Show resolved
Hide resolved
content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
Show resolved
Hide resolved
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
f6a9a3a
to
3de80b5
Compare
updated to address the review comments. |
Third party custom controllers can be used: | ||
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp) | ||
|
||
Such a controller is not a secure mechanism unless it not only verifies the CommonName | ||
in the CSR but also verifies the requested IPs and domain names. This would prevent | ||
a malicious actor that has access to a kubelet client certificate to create | ||
CSRs requesting serving certificates for any IP or domain name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should express options on external project; TBH I would avoid the link entirely but I don't want to block on this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sftim and randomvariable seem to be fine with mentioning this third-party option.
for cloud provider scenarios we already tell users to consult their provider.
users that don't trust this would have to either use a different rubber-stamp or write their own controller / DS / scripts.
@neolit123: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Needs a rebase, but assuming the obvious approach to rebasing: LGTM. |
3de80b5
to
1434983
Compare
rebased. /cc @fabriziopandini |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some feedback. I don't think it need block merging these changes.
LGTM!
content/en/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm.md
Outdated
Show resolved
Hide resolved
- Find and edit the `kubelet-config-x.yy` ConfigMap under `kube-system` to include | ||
the field `serverTLSBootstrap: true` under the `config` key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could also write:
- Find and edit the `kubelet-config-x.yy` ConfigMap under `kube-system` to include | |
the field `serverTLSBootstrap: true` under the `config` key | |
- Find and edit the `kubelet-config-{{< skew latestVersion >}}` ConfigMap in the `kube-system` namespace. | |
In that ConfigMap, the `config` key has a | |
[kubelet configuration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration) document as | |
its value. Edit the kubelet configuration document to set `serverTLSBootstrap: true`. |
(untested!)
- maybe in a follow-up PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ recommends changing the ConfigMap that kubelets use (a different name); is that advice related to what's recommended here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe in a follow-up PR?
updated in this PR.
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ recommends changing the ConfigMap that kubelets use (a different name); is that advice related to what's recommended here?
kubeadm uses a single ConfigMap, so need to introduce a new ConfigMap with a different name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: 7026c4a74d5a963e5d7e1975c03ed0b156e6f363
|
Include a new section of the kubeadm certificate management page to talk about kubelet serving certificates and how to make them signed. Also include a note about using secure connection with the metrics-server.
1434983
to
30c6e77
Compare
@sftim |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kbhawkey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
LGTM label has been added. Git tree hash: 59c4229345bb7edcf59b4501db23c61b8575a2f1
|
note: targeting the
master
branch is accurate for this change.Include a new section of the kubeadm certificate management page
to talk about kubelet serving certificates and how to make
them signed. Also include a note about using secure connection
with the metrics-server.
fixes kubernetes/kubeadm#1602
/sig cluster-lifecycle