-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes secrets signed by kops CA #10149
Comments
I maintain proofpoint/kapprover and proofpoint/certificate-init-container for the TLS server cert use case. We since wrote (but haven't open-sourced) a mutating admission webhook to inject the init container. It provides a per-pod certificate/key in a volume, not one shared using a Secret. |
If we were do go down this path, the addon could just specify the init-container, so the mutating webhook is probably not that useful. In our case, kops-controller would be the signer, so the code there would be somewhat similar to the CRD approach. Validating the CSR is probably more complex than just writing a secret to a well-known location and trust that only e.g metrics-server has the RBAC privileges to read it though. To me, this feels a bit too complex. |
The CRD approach looks equivalent to a cert-manager The mutating webhook abstracts away the implementation detail of the init container. The workload doesn't need to know (or update) the init container's version. The init container implementation could be replaced with a FlexVolume implementation, for example. Validating the CSR is not that complex. |
The CRD approach is analog to cert-manager, yes. We could very well be using cert-manager if we want to add that as an addon. We could then create an I was slightly reluctant to supporting cert-manager given its happiness fo breaking backwards-compatibility. But now that they have reached 1.0, I expect it to be more stable. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
The underlying problem has been solved by using cert-manager instead. |
@olemarkus: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1. Describe IN DETAIL the feature/behavior/change you would like to see.
There are a couple of use cases for having kubernetes TLS secets signed by the kops CA. Metrics Server can use these secrets as client/serving certs. Addons using webhooks would also benefits from this.
2. Feel free to provide a design supporting your feature request.
This feature feels like a natural extension on of kops-controller and there are two ways of implementing this that I can think of.
One would be to use a light-weight controller-like component that would get take a list of secret names passed through options and create them. Would probably need to implement leader-elections and such manually as using controller-runtime can get a bit awkward. There is nothing to watch and reconcile on.
The perhaps better alternative would be to introduce a CRD named
KubeletSecret
or similar, then use a proper controller-runtime controller to watch and reconcile into k8s secrets. TheKubeletSecret
resources could be provisioned as part of the addon. One could still pass in a list of allowed KubeletSecrets for extra safety to prevent users from creating arbitrary secrets. This would probably be a much simpler implementation, but it does introduce a kOps CRD.The text was updated successfully, but these errors were encountered: