Skip to content

Improve docs about Kubernetes API access CA and using it from a Pod #42537

New issue
New issue
Open
Open
Improve docs about Kubernetes API access CA and using it from a Pod#42537
Labels
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/authCategorizes an issue or PR as relevant to SIG Auth.
@sftim

Description

@sftim
sftim
opened on Aug 14, 2023

This is a Feature Request

What would you like to be added
Add details about the CA certificate that a container (in a Pod) can use for API access, when that certificate might be missing from your Pod, and what to do if that occurs.

Why is this needed
Accessing the Kubernetes API from a Pod states:

If available, a certificate bundle is placed into the filesystem tree of each container at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, and should be used to verify the serving certificate of the API server.

However, the page doesn't explain under what circumstances that file might not be present, nor what to do if you find that it isn't there.

Comments
/sig auth

Some more context: ClusterTrustBundles are an alpha feature that might help an API server publish a valid CA certificate for the hostname that clients are expected to use.
See KEP 3257 for more details.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/authCategorizes an issue or PR as relevant to SIG Auth.

    Type

    No type

    Projects

    SIG Auth

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions