Skip to content

Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer #48492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer #48492

wants to merge 2 commits into from

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Oct 22, 2024
edited by sftim
Loading

Description

This is a placeholder for KEP-3257 Cluster Trust Bundles

Issue

Related to: kubernetes/enhancements#3257

@k8s-ci-robot k8s-ci-robot added this to the 1.32 milestone Oct 22, 2024
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 22, 2024
@netlify Netlify
Copy link

netlify bot commented Oct 22, 2024
edited
Loading

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name Link
🔨 Latest commit ad05ff8
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/674714996a54c400089b9d79

@netlify Netlify
Copy link

netlify bot commented Oct 22, 2024
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 4304cc1
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67a380f97f15220008a4b70c
😎 Deploy Preview https://deploy-preview-48492--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@spurin
Copy link
Contributor

spurin commented Nov 1, 2024

Hello @stlaz 👋 please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before Tuesday November 19th 2024 18:00 PST. Thank you!

@stlaz stlaz force-pushed the cluster_trust_bundles branch from f6fe71b to b3c06b7 Compare November 12, 2024 13:10
@k8s-ci-robot k8s-ci-robot added language/en Issues or PRs related to English language size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 12, 2024
@stlaz stlaz changed the title KEP-3257 (Cluster Trust Bundles) docs placeholder KEP-3257 (Cluster Trust Bundles): add docs for a new signer Nov 12, 2024
@stlaz stlaz marked this pull request as ready for review November 12, 2024 13:12
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 12, 2024
@sftim
Copy link
Contributor

sftim commented Nov 15, 2024

/retitle Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer

@k8s-ci-robot k8s-ci-robot changed the title KEP-3257 (Cluster Trust Bundles): add docs for a new signer Document kubernetes.io/kube-apiserver-serving ClusterTrustBundle signer Nov 15, 2024
sftim
sftim reviewed Nov 15, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some feedback

@stlaz stlaz force-pushed the cluster_trust_bundles branch from b3c06b7 to 7687889 Compare November 25, 2024 10:53
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 25, 2024
@stlaz
Copy link
Member Author

stlaz commented Nov 25, 2024

Thank you @sftim for the review. I addressed your comments, I had additional questions with some of them.

@stlaz stlaz force-pushed the cluster_trust_bundles branch from 7687889 to 58c17dd Compare November 25, 2024 14:05
sftim
sftim reviewed Nov 27, 2024
View reviewed changes
sftim
sftim reviewed Nov 27, 2024
View reviewed changes
sftim
sftim reviewed Nov 27, 2024
View reviewed changes
@sftim
Copy link
Contributor

sftim commented Nov 27, 2024

LGTM for docs (even with pending feedback)
We should try to get a technical review on this change as well.

@stlaz stlaz force-pushed the cluster_trust_bundles branch from 58c17dd to ad05ff8 Compare November 27, 2024 12:46
@stlaz
Copy link
Member Author

stlaz commented Nov 27, 2024

Thank you for the review, I applied your suggestions, modifying some slightly.

@enj @ahmedtd would you please do the technical review?

enj
enj reviewed Jan 14, 2025
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments, LGTM.

content/en/docs/reference/command-line-tools-reference/feature-gates/cluster-trust-bundle.md Outdated
@@ -10,4 +10,9 @@ stages:
defaultValue: false
fromVersion: "1.27"
---
Enable ClusterTrustBundle objects and kubelet integration.
Enable ClusterTrustBundle support, including kubelet integration. Also makes the Kubernetes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to indicate that the ClusterTrustBundle feature gate is used in API server, controller manager and kubelet.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kubelet uses only the ClusterTrustBundleProjection fg, I'll add the info about KAS and KCM.

I wonder if we wanted to clarify that the kubelet integration needs to be additionally set up with its own featuregate that depends on the API this featuregate enables?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I just realized the mention of kubelet is likely all wrong here, I'll remove that. The ClusterTrustBundleProjection FG controls the availability of the pod fields AFAIK.

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
1. Permitted x509 extensions - honors subjectAltName and key usage extensions. At
least one DNS or IP subjectAltName must be present. The SAN DNS/IP of the certificates
must resolve/point to kube-apiserver's hostname/IP.
1. Permitted key usages - ["key encipherment", "digital signature", "server auth"] or ["digital signature", "server auth"].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But we don't fail anything if you have more than these though right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's little to no validation around the KAS serving cert today, so no, we don't 😐

@benjaminapetersen
Copy link
Member

/assign @enj

@stlaz stlaz force-pushed the cluster_trust_bundles branch from 2976832 to 131eee4 Compare January 20, 2025 13:44
@sftim
Copy link
Contributor

sftim commented Jan 31, 2025

@stlaz is this targeting the right branch? Kubernetes v1.32 is released, so I imagine you want to target main.

@sftim
Copy link
Contributor

sftim commented Jan 31, 2025

/hold

pending a switch to a valid base branch

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 31, 2025
@stlaz stlaz changed the base branch from dev-1.32 to main January 31, 2025 14:27
@stlaz
Copy link
Member Author

stlaz commented Jan 31, 2025

Indeed, this was created for 1.32 originally but that's now main. Switched to the correct one, I'll fix the merge conflicts to make the PR mergeable again.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 31, 2025
@stlaz stlaz force-pushed the cluster_trust_bundles branch from 131eee4 to 4304cc1 Compare February 5, 2025 15:17
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tengqm for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 5, 2025
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 6, 2025
@stlaz
Copy link
Member Author

stlaz commented May 7, 2025

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enj enj enj left review comments

@sftim sftim sftim left review comments

@divya-mohan0209 divya-mohan0209 Awaiting requested review from divya-mohan0209

Assignees

@enj enj

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. language/en Issues or PRs related to English language size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
1.32
Development

Successfully merging this pull request may close these issues.
7 participants
@stlaz @spurin @sftim @benjaminapetersen @k8s-ci-robot @k8s-triage-robot @enj