Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add per-node-certification support #1159

Merged
merged 1 commit into from
Sep 18, 2023

Conversation

s1061123
Copy link
Member

This change introduces per-node certification for multus pods. Once multus pod is launched, then specified bootstrap kubeconfig is used for initial access, then multus sends CSR request to kube API to get original certs for kube API access. Once it is accepted then the multus pod uses generated certs for kube access.

This PR only targets the code and doc/installer manifests will be addressed in another PR.

@s1061123 s1061123 requested a review from dougbtv September 18, 2023 14:49
@s1061123 s1061123 force-pushed the per-node-cert branch 2 times, most recently from d0f2740 to 049ec70 Compare September 18, 2023 15:01
This change introduces per-node certification for multus pods.
Once multus pod is launched, then specified bootstrap kubeconfig
is used for initial access, then multus sends CSR request to
kube API to get original certs for kube API access. Once it is
accepted then the multus pod uses generated certs for kube access.
Copy link
Member

@dougbtv dougbtv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I think we can move forward with this as-is. But let's follow up with example yaml for deployment as well as docs (I can also follow up on this)

@@ -393,87 +387,6 @@ func TryLoadPodDelegates(pod *v1.Pod, conf *types.NetConf, clientInfo *ClientInf
return 0, clientInfo, err
}

// InClusterK8sClient returns the `k8s.ClientInfo` struct to use to connect to
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is all removed because of Dan's recent performance work, right?

}

// GetK8sClient gets client info from kubeconfig
func GetK8sClient(kubeconfig string, kubeClient *ClientInfo) (*ClientInfo, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I get it, the GetK8sClient moves here, makes sense.

@dougbtv dougbtv merged commit 857d070 into k8snetworkplumbingwg:master Sep 18, 2023
24 checks passed
@s1061123 s1061123 deleted the per-node-cert branch September 18, 2023 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants