ClusterTrustBundles: document projected volumes #43600
Conversation
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
language/en
|
/sig security /retitle [WIP] ClusterTrustBundles: document projected volumes |
k8s-ci-robot
changed the title
k8s-ci-robot
added
sig/security
There was a problem hiding this comment.
Thanks
Be sure to update https://k8s.io/docs/concepts/storage/projected-volumes/ as well
|
Hi, @ahmedtd! v1.29 Docs Lead here. Please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before Tuesday 14th November 2023. Thank you! |
ahmedtd
force-pushed
the
ctb-projection
branch
from
e6bcd33 to
48db373
Compare
k8s-ci-robot
added
size/M
ahmedtd
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
ahmedtd
force-pushed
the
ctb-projection
branch
from
48db373 to
9e65d6b
Compare
There was a problem hiding this comment.
looks good, just a few nits / suggestions
also add rows in https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ for ClusterTrustBundle and ClusterTrustBundleProjection gates
|
|
||
| {{< note >}} | ||
| In Kubernetes {{< skew currentVersion >}}, you must enable the `ClusterTrustBundle` and `ClusterTrustBundleProjection` | ||
| [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) to use this feature. |
There was a problem hiding this comment.
and API, right (with --runtime-config=certificates.k8s.io/v1alpha1/clustertrustbundles=true)?
|
|
||
| To select by name, use the `name` field to designate a single ClusterTrustBundle object. | ||
|
|
||
| To select by signer name, use the `signerName` and `labelSelector` fields to |
There was a problem hiding this comment.
| To select by signer name, use the `signerName` and `labelSelector` fields to | |
| To select by signer name, use the `signerName` field (and optionally the `labelSelector` field) to |
| If `labelSelector` is not present, then all ClusterTrustBundles for that signer | ||
| are selected. | ||
|
|
||
| In both cases, Kubelet will deduplicate all of the certificates from the selected ClusterTrustBundle objects, normalize the PEM representations (discarding comments and headers), and shuffle the order of the certificates before writing them into the file named by `path`. As the set of selected ClusterTrustBundles, or their content, changes, Kubelet will keep the file up-to-date. |
There was a problem hiding this comment.
| In both cases, Kubelet will deduplicate all of the certificates from the selected ClusterTrustBundle objects, normalize the PEM representations (discarding comments and headers), and shuffle the order of the certificates before writing them into the file named by `path`. As the set of selected ClusterTrustBundles, or their content, changes, Kubelet will keep the file up-to-date. | |
| The Kubelet deduplicates the certificates in the selected ClusterTrustBundle objects, normalizes the PEM representations (discarding comments and headers), reorders the certificates, and writes them into the file named by `path`. As the set of selected ClusterTrustBundles or their content changes, Kubelet keeps the file up-to-date. |
| spec: | ||
| containers: | ||
| - name: container-test | ||
| image: busybox:1.28 |
There was a problem hiding this comment.
Copied this from the example next to it. Removed.
| name: foo | ||
| path: foo-roots.pem |
There was a problem hiding this comment.
nit: use something like example instead of foo?
|
/assign |
ahmedtd
force-pushed
the
ctb-projection
branch
from
9e65d6b to
130f234
Compare
Done. |
There was a problem hiding this comment.
Add docs for the projected feature gate in the List of feature gates section.
| @@ -71,6 +71,8 @@ For a reference to old feature gates that are removed, please refer to | |||
| | `AnyVolumeDataSource` | `false` | Alpha | 1.18 | 1.23 | | |||
| | `AnyVolumeDataSource` | `true` | Beta | 1.24 | | | |||
| | `AppArmor` | `true` | Beta | 1.4 | | | |||
| | `ClusterTrustBundle` | `false` | Alpha | 1.28 | | | |||
There was a problem hiding this comment.
This is already in this file (see below on line 89).
There was a problem hiding this comment.
This is the key outstanding feedback blocking a merge, I think.
|
Hi, @ahmedtd! Kubernetes v1.29 Docs Lead here. Just a reminder that the deadline to have this PR reviewed and merged is Tuesday, 28 November. Let me know if you need any help! CCing KEP owners: @liggitt @enj @mikedanese |
|
|
||
| The Kubelet deduplicates the certificates in the selected ClusterTrustBundle objects, normalizes the PEM representations (discarding comments and headers), reorders the certificates, and writes them into the file named by `path`. As the set of selected ClusterTrustBundles or their content changes, Kubelet keeps the file up-to-date. | ||
|
|
||
| By default, the Kubelet will prevent the pod from starting if the named ClusterTrustBundle is not found, or if `signerName` / `labelSelector` do not match any ClusterTrustBundles. If this behavior is not desired, then set the `optional` field to `true`, and the pod will start up with an empty file at `path`. |
There was a problem hiding this comment.
(a nit)
| By default, the Kubelet will prevent the pod from starting if the named ClusterTrustBundle is not found, or if `signerName` / `labelSelector` do not match any ClusterTrustBundles. If this behavior is not desired, then set the `optional` field to `true`, and the pod will start up with an empty file at `path`. | |
| By default, the kubelet prevents the pod from starting if the named ClusterTrustBundle is not found, or if `signerName` / `labelSelector` do not match any ClusterTrustBundles. If this behavior is not what you want, then set the `optional` field to `true`, and the pod will start up with an empty file at `path`. |
| @@ -71,6 +71,8 @@ For a reference to old feature gates that are removed, please refer to | |||
| | `AnyVolumeDataSource` | `false` | Alpha | 1.18 | 1.23 | | |||
| | `AnyVolumeDataSource` | `true` | Beta | 1.24 | | | |||
| | `AppArmor` | `true` | Beta | 1.4 | | | |||
| | `ClusterTrustBundle` | `false` | Alpha | 1.28 | | | |||
| | `ClusterTrustBundleProjection` | `false` | Alpha | 1.29 | | | |||
There was a problem hiding this comment.
Please preserve the existing collation order (#41793 may help us automate sorting, but that has not yet landed).
ahmedtd
force-pushed
the
ctb-projection
branch
from
130f234 to
1779874
Compare
k8s-ci-robot
added
the
needs-rebase
ahmedtd
force-pushed
the
ctb-projection
branch
from
1779874 to
774e1fe
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 627313af259e477714afa4b93392d4a52c4ba6b6
|
| To use this feature in Kubernetes {{< skew currentVersion >}}, you must enable support for ClusterTrustBundle objects with the `ClusterTrustBundle` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and `--runtime-config=certificates.k8s.io/v1alpha1/clustertrustbundles=true` kube-apiserver flag, then enable the `ClusterTrustBundleProjection` feature gate. | ||
| {{< /note >}} | ||
|
|
||
| The `clusterTrustBundle` projected volume source injects the contents of one or more ClusterTrustBundle objects as an automatically-updating file in the container filesystem. |
There was a problem hiding this comment.
(nit / good to fix for beta)
That first mention of ClusterTrustBundle could link to https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles
| @@ -441,7 +442,8 @@ Each feature gate is designed for enabling/disabling a specific feature: | |||
| - `CloudDualStackNodeIPs`: Enables dual-stack `kubelet --node-ip` with external cloud providers. | |||
| See [Configure IPv4/IPv6 dual-stack](/docs/concepts/services-networking/dual-stack/#configure-ipv4-ipv6-dual-stack) | |||
| for more details. | |||
| - `ClusterTrustBundle`: Enable ClusterTrustBundle objects and kubelet integration. | |||
| - `ClusterTrustBundle`: Enable ClusterTrustBundle objects. | |||
| - `ClusterTrustBundleProjection`: Enable kubelet ClusterTrustBundle projected volume sources. | |||
There was a problem hiding this comment.
(nit)
| - `ClusterTrustBundleProjection`: Enable kubelet ClusterTrustBundle projected volume sources. | |
| - `ClusterTrustBundleProjection`: Enable | |
| [`clusterTrustBundle` projected volume sources](/docs/concepts/storage/projected-volumes#clustertrustbundle). |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Netlify, our static site rendering and serving service, has got into a pickle @ahmedtd If you edit the commit (can be a no-op other than, eg, a different commit date) and force-push, that might help unbreak things. |
ahmedtd
force-pushed
the
ctb-projection
branch
from
774e1fe to
6dd3091
Compare
k8s-ci-robot
removed
the
lgtm
|
OK, looks like netlify is succeeding now. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 6868d9dece5b1b2bef78b68d130d1dbf4a8e5c2a
|
ClusterTrustBundle projected volume sources are slated to land in 1.29. Drop a
placeholdersection in the existing ClusterTrustBundle documentation to document it.Enhancements Issue: kubernetes/enhancements#3257
Implementation PR: kubernetes/kubernetes#113374