Move rotating kubelet client certificate to beta. #51045

jcbsmpsn · 2017-08-21T20:04:08Z

Release the kubelet client certificate rotation as beta.

ericchiang · 2017-08-21T20:50:14Z

pkg/features/kube_features.go

@@ -152,7 +152,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
 	Accelerators:                                {Default: false, PreRelease: utilfeature.Alpha},
 	TaintBasedEvictions:                         {Default: false, PreRelease: utilfeature.Alpha},
 	RotateKubeletServerCertificate:              {Default: false, PreRelease: utilfeature.Alpha},
-	RotateKubeletClientCertificate:              {Default: false, PreRelease: utilfeature.Alpha},
+	RotateKubeletClientCertificate:              {Default: false, PreRelease: utilfeature.Beta},


Shouldn't this default to true?

So, I'd like to set the default value for the flag to true, which would turn this feature on by default when it goes GA. Leaving this value false which the feature is beta would mean people won't get the beta feature enabled by default.

What's the timeline for GA? I'd imagine most setups will still use static TLS for the foreseeable future and it seems odd to turn it on by default if a cluster isn't using it.

what is the behavior if the controller manager doesn't have a signing CA set up? does this degrade gracefully if unable to submit the CSR, or if the submitted CSR is never approved?

I mis-understood the behavior of the signing CA. I'm going to turn the flag to false by default, and put the beta feature to true.

ericchiang · 2017-08-21T20:51:13Z

cmd/kubelet/app/options/options.go

@@ -203,6 +205,8 @@ func (f *KubeletFlags) AddFlags(fs *pflag.FlagSet) {
 		"If the file specified by --kubeconfig does not exist, the bootstrap kubeconfig is used to request a client certificate from the API server. "+
 		"On success, a kubeconfig file referencing the generated client certificate and key is written to the path specified by --kubeconfig. "+
 		"The client certificate and key file will be stored in the directory pointed by --cert-dir.")
+	fs.BoolVar(&f.RotateCertificates, "rotate-certificates", f.RotateCertificates, "<Warning: Beta feature> Auto rotate the kubelet client certificates by requesting new certificates from the kube-apiserver when the certificate expiration approaches.")
+	fs.MarkHidden("rotate-certificates") // Mark this flag as hidden because it is still in Beta.


Has this pattern been used elsewhere? I don't remember us hiding other flags.

I don't know of it existing anywhere else. You think just the warning text and not hiding it is the best way to go?

ericchiang · 2017-08-21T20:51:41Z

cc @kubernetes/sig-auth-pr-reviews

ericchiang · 2017-08-24T16:21:43Z

/lgtm

ericchiang · 2017-08-24T16:22:26Z

/assign @dchen1107

For approval.

mikedanese · 2017-08-24T18:00:28Z

/approve no-issue

k8s-github-robot · 2017-08-27T08:12:32Z

/test all

Tests are more than 96 hours old. Re-running tests.

jcbsmpsn · 2017-08-28T17:02:59Z

/assign @smarterclayton Do you have any time to review this for approval?

smarterclayton · 2017-08-29T05:04:41Z

/approve

ericchiang · 2017-08-29T16:27:39Z

/lgtm

k8s-github-robot · 2017-08-29T16:28:35Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, jcbsmpsn, mikedanese, smarterclayton

Associated issue requirement bypassed by: mikedanese

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

~~cmd/kubelet/OWNERS~~ [mikedanese,smarterclayton]
~~pkg/OWNERS~~ [smarterclayton]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

k8s-github-robot · 2017-08-30T04:43:36Z

Automatic merge from submit-queue (batch tested with PRs 49961, 50005, 50738, 51045, 49927)

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 21, 2017

k8s-github-robot assigned dchen1107 and lavalamp Aug 21, 2017

k8s-github-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Aug 21, 2017

ericchiang reviewed Aug 21, 2017

View reviewed changes

k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Aug 21, 2017

jcbsmpsn force-pushed the rotate-kubelet-client-certificate-beta branch 4 times, most recently from 964ab0a to e74416b Compare August 22, 2017 20:34

k8s-ci-robot assigned ericchiang Aug 24, 2017

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 24, 2017

jcbsmpsn force-pushed the rotate-kubelet-client-certificate-beta branch from e74416b to b11bdc0 Compare August 28, 2017 17:00

k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 28, 2017

k8s-ci-robot assigned smarterclayton Aug 28, 2017

k8s-github-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 29, 2017

Move rotating kubelet client certificate to beta.

a0d81d1

jcbsmpsn force-pushed the rotate-kubelet-client-certificate-beta branch from b11bdc0 to a0d81d1 Compare August 29, 2017 16:26

k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 29, 2017

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2017

k8s-github-robot merged commit bb8fed8 into kubernetes:master Aug 30, 2017

ericchiang mentioned this pull request Sep 8, 2017

Make sure that Kubelet Certificate Rotation is enabled in v1.8 kubernetes/kubeadm#386

Closed

This was referenced Oct 5, 2017

Setting to enable/disable certificate rotation #40252

Closed

Add a kubelet flag to enable certificate rotation #46603

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Move rotating kubelet client certificate to beta. #51045

Move rotating kubelet client certificate to beta. #51045

jcbsmpsn commented Aug 21, 2017

ericchiang Aug 21, 2017

jcbsmpsn Aug 22, 2017 •

edited

Loading

ericchiang Aug 22, 2017

liggitt Aug 22, 2017

jcbsmpsn Aug 22, 2017

ericchiang Aug 21, 2017

jcbsmpsn Aug 22, 2017

ericchiang commented Aug 21, 2017

ericchiang commented Aug 24, 2017

ericchiang commented Aug 24, 2017

mikedanese commented Aug 24, 2017

k8s-github-robot commented Aug 27, 2017

jcbsmpsn commented Aug 28, 2017 •

edited

Loading

smarterclayton commented Aug 29, 2017

ericchiang commented Aug 29, 2017

k8s-github-robot commented Aug 29, 2017

k8s-github-robot commented Aug 30, 2017

Move rotating kubelet client certificate to beta. #51045

Move rotating kubelet client certificate to beta. #51045

Conversation

jcbsmpsn commented Aug 21, 2017

ericchiang Aug 21, 2017

Choose a reason for hiding this comment

jcbsmpsn Aug 22, 2017 • edited Loading

Choose a reason for hiding this comment

ericchiang Aug 22, 2017

Choose a reason for hiding this comment

liggitt Aug 22, 2017

Choose a reason for hiding this comment

jcbsmpsn Aug 22, 2017

Choose a reason for hiding this comment

ericchiang Aug 21, 2017

Choose a reason for hiding this comment

jcbsmpsn Aug 22, 2017

Choose a reason for hiding this comment

ericchiang commented Aug 21, 2017

ericchiang commented Aug 24, 2017

ericchiang commented Aug 24, 2017

mikedanese commented Aug 24, 2017

k8s-github-robot commented Aug 27, 2017

jcbsmpsn commented Aug 28, 2017 • edited Loading

smarterclayton commented Aug 29, 2017

ericchiang commented Aug 29, 2017

k8s-github-robot commented Aug 29, 2017

k8s-github-robot commented Aug 30, 2017

jcbsmpsn Aug 22, 2017 •

edited

Loading

jcbsmpsn commented Aug 28, 2017 •

edited

Loading