add multiple signers to CSRs #1400
Conversation
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
the
kind/kep
|
cc @munnerz |
I don't think that providing trust information (currently not done) is required for properly subdividing the signers we have. This doesn't preclude adding such a feature, but trust distribution is distinct from signing overall. |
There was a problem hiding this comment.
Can we spec interaction between approvers and signers in this change? Should we think about scoping authorization for an approver to a specific signer? Should approvers be 1:1 with signers? Should signers be 1:1 with CAs? Why don't we have a single signer for kubernetes.io/kubelet vs breaking it up?
Echoing Jordan's comment - as long we tackle trust distribution before |
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
They are trusted by the kube-apiserver for different purposes. A cluster-admin could use the same CA for each, but it should also be possible to selectively narrow your signers to their respective domains. Trusting a CA bundle to terminate an outbound connection is distinctly different than trusting a CA bundle to assert identity on an inbound connection. |
I don't see this as changing the role of approvers or changing the existing relationship between approvers and signers. I would expect that generally signers would be signing with a single key at a time. |
|
What's the relationship between signers' CA and the CA of kube-apiserver's flag We had divide the CA of |
|
For reference, in cert-manager we have added the following fields to our equivalent of the CSR type: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1alpha2.CertificateRequestSpec ( We have additionally added an optional annotation, There has also been a request to extend the 'status reasons' on our CertificateRequest resource to include some form of "FailedNoRetry" parameter, to indicate a particular request for a certificate failed because the parameters on the request itself are not acceptable for the given signer: cert-manager/cert-manager#2289 - this signals to other controllers that may create CertificateRequest resources that they should inform the user to update their request rather than blindly retry over and over. |
Are you asking what CA would sign
No, |
I think they should be signed with different CA/Key pair. In my company, we use different CA/Key pair to sign cert(kubeconfig) for developers based on which team the developer working for, which means every team has a CA/Key pair to sign cert(kubeconfig), and the Kubernetes admin should merge different CA to a single That's why I suggest |
It is simpler to manage a process that aggregates all your client cert signers into a single file and replace the file passed to --client-ca-file than to modify the kube-apiserver invocation and restart the process. I also think that we support dynamically reloading the --client-ca-file without a kube-apiserver restart as of 1.17 (@deads2k can confirm), which is a benefit of passing a single file containing all the CAs instead of N files each containing a single CA |
|
I've opened kubernetes/kubernetes#86476 to add the API fields, validation and defaulting behaviour described in this KEP. The signer and approver changes can be added later, unless you want to include them all in one PR 😄 |
deads2k
force-pushed
the
csr-signers
branch
3 times, most recently
from
e407cbb to
ee4d75c
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| CSRs have a `signerName` field which is used to specify which signer the CSR creator wants to sign the certificate. | ||
| To support migration from v1beta1 to v1, this required field will be defaulted in v1beta1 (optional in openapi), but | ||
| not defaulted and required in v1 : | ||
| 1. If it's a kubelet client certificate, it is assigned "kubernetes.io/kubelet-client". |
There was a problem hiding this comment.
nit: I think this should be kube-apiserver-client-kubelet now?
There was a problem hiding this comment.
| additional scrutiny before approval and signing. An admission plugin is available to restrict system:masters, but | ||
| it is often not the only cluster-admin subject in a cluster. |
There was a problem hiding this comment.
Why is this implemented in admission control vs approver or signer policy?
There was a problem hiding this comment.
@deads2k have you got any input here? We currently have this implemented as an admission plugin in kubernetes/kubernetes#86933, but is it better we move this to the approval flow?
Adds the ability for CSRs to have different signers while keep backward compatibility with existing consumers of v1beta1. This is on the path to a GA API.
@kubernetes/sig-auth-api-reviews
/priority important-soon
/assign @liggitt