Skip to content

Master Kubelet TLS verification broken due to external cloud provider node initialization order #55633

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#65594
Closed
Master Kubelet TLS verification broken due to external cloud provider node initialization order#55633
#65594
Assignees
rrati
Labels
area/cloudproviderkind/featureCategorizes issue or PR as related to a new feature.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/nodeCategorizes an issue or PR as relevant to SIG Node.
@wlan0

Description

@wlan0
wlan0
opened on Nov 13, 2017

Before the CCM started initializing node addresses (IP addresses and Hostnames) asynchronously, the kubelet would read the addresses, and hostnames from the node or from the cloud before creating the TLS serving certs. This ensured that the TLS certs reflected the correct addresses.

Now that the asynchronous model is being followed for node initialization, the kubelet generates certs with a set of addresses that do not reflect the cloud initialized addresses for the node.

The order of node address initialization -> TLS cert creation should be preserved with the new asynchronous model as well

Metadata

Assignees

Labels

area/cloudproviderkind/featureCategorizes issue or PR as related to a new feature.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/nodeCategorizes an issue or PR as relevant to SIG Node.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions