Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities #60385

Merged
merged 2 commits into from
Mar 1, 2018
Merged

kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities #60385

merged 2 commits into from
Mar 1, 2018

Conversation

stealthybox
Copy link
Member

@stealthybox stealthybox commented Feb 25, 2018
edited
Loading

What this PR does / why we need it:
On kubeadm init/kubeadm upgrade, this PR generates an etcd specific CA for signing the following certs:

  • etcd serving cert
  • etcd peer cert
  • apiserver etcd client cert

These certs were previously signed by the kubernetes CA.
The etcd static pod in local.go has also been updated to only mount the /etcd subdir of cfg.CertificatesDir.

New phase command:

kubeadm alpha phase certs etcd-ca

See the linked issue for details on why this change is an important security feature.

Which issue(s) this PR fixes
Fixes kubernetes/kubeadm#710

Special notes for your reviewer:

on the master

this should still fail:

curl localhost:2379/v2/keys  # no output
curl --cacert /etc/kubernetes/pki/etcd/ca.crt https://localhost:2379/v2/keys  # handshake error

this should now fail: (previously would succeed)

cd /etc/kubernetes/pki
curl --cacert etcd/ca.crt --cert apiserver-kubelet-client.crt --key apiserver-kubelet-client.key https://localhost:2379/v2/keys
  # curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

this should still succeed:

cd /etc/kubernetes/pki
curl --cacert etcd/ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys

Release note:

On cluster provision or upgrade, kubeadm generates an etcd specific CA for all etcd related certificates.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 25, 2018
@stealthybox stealthybox force-pushed the feature/kubeadm_710-etcd-ca branch from dddf030 to 07802e2 Compare February 25, 2018 06:48
@stealthybox stealthybox force-pushed the feature/kubeadm_710-etcd-ca branch 3 times, most recently from 9eb98eb to be66dcf Compare February 25, 2018 20:41
@timothysc timothysc requested a review from detiber February 27, 2018 16:44
@timothysc
Copy link
Member

/cc @detiber @ericchiang @kubernetes/sig-cluster-lifecycle-pr-reviews

@k8s-ci-robot k8s-ci-robot added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label Feb 27, 2018
@timothysc timothysc added kind/bug Categorizes issue or PR as related to a bug. status/approved-for-milestone labels Feb 27, 2018
@timothysc timothysc added this to the v1.10 milestone Feb 27, 2018
@timothysc
Copy link
Member

This was an implementation request/bug from the original PR so it meets the criteria for post freeze inclusion.

@detiber
Copy link
Member

detiber commented Feb 27, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 27, 2018
xiangpengzhao
xiangpengzhao reviewed Feb 27, 2018
View reviewed changes
Copy link
Contributor

@xiangpengzhao xiangpengzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a nit. otherwise LGTM.

cmd/kubeadm/app/phases/certs/certs.go Outdated
@@ -302,6 +322,17 @@ func NewAPIServerKubeletClientCertAndKey(caCert *x509.Certificate, caKey *rsa.Pr
return apiClientCert, apiClientKey, nil
}

// NewEtcdCACertAndKey generate a self signed front proxy CA.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it a front proxy CA?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed -- thanks peter!

@stealthybox stealthybox force-pushed the feature/kubeadm_710-etcd-ca branch from be66dcf to 41974cb Compare February 28, 2018 00:57
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 28, 2018
@stealthybox
Copy link
Member Author

stealthybox commented Feb 28, 2018
edited
Loading

oops... did not notice it was already in the queue 🙃
could somebody review the spelling updates please? thanks!

++ @xiangpengzhao

@dixudx
Copy link
Member

dixudx commented Feb 28, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 28, 2018
@dixudx
Copy link
Member

dixudx commented Feb 28, 2018

/area kubeadm

@dixudx
Copy link
Member

dixudx commented Feb 28, 2018

@stealthybox Could you please squash your commits?

@stealthybox
Copy link
Member Author

@dixudx thanks for reviewing!

I separated the typos so that the CA related commit is easier to understand.
I think it's best to leave it like this. Do you agree?

@dixudx
Copy link
Member

dixudx commented Feb 28, 2018

@stealthybox IMO The second commit is more about renaming. But it's okay to keep it as it is.

@detiber
Copy link
Member

detiber commented Feb 28, 2018

/lgtm

0xmichalis
0xmichalis reviewed Feb 28, 2018
View reviewed changes
cmd/kubeadm/app/phases/upgrade/staticpods.go
@@ -136,17 +136,22 @@ func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticP
}

// ensure etcd certs are generated for etcd and kube-apiserver
if component == constants.Etcd || component == constants.KubeAPIServer {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why CreateEtcdCACertAndKeyFiles needs to run when upgrading the api server?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, CreateEtcdServerCertAndKeyFiles in L145 and CreateAPIServerEtcdClientCertAndKeyFiles in L153 depends on etcd CA to generate their cert and key files, CreateEtcdCACertAndKeyFiles ensures etcd CA files are existing or generated.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

/hold cancel

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Peter explained correctly what I was thinking 👍

The happy path would work without it, but if you ever wanted the apiserver to start independently of etcd, it would fail.

timothysc
timothysc approved these changes Mar 1, 2018
View reviewed changes
Copy link
Member

@timothysc timothysc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@timothysc timothysc added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 1, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: detiber, dixudx, stealthybox, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@xiangpengzhao
Copy link
Contributor

/hold
until @Kargakis question #60385 (comment) is finally explained. Hopefully my #60385 (comment) is correct :)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 1, 2018
@timothysc
Copy link
Member

xref #60608

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 1, 2018
@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 5cff6c9 into kubernetes:master Mar 1, 2018
@stealthybox stealthybox mentioned this pull request Mar 3, 2018
Closed
@andrewrynhard
Copy link
Contributor

andrewrynhard commented Mar 17, 2018
edited
Loading

This seems to break self-hosting, self-hosted kube-apiserver:

err (open /etc/kubernetes/pki/apiserver-etcd-client.crt: no such file or directory)

@timothysc I'm not sure what the status is for storing certs as secrets in the cluster. I know it is behind a feature gate, but is that something we wan't to continue to do? IIRC there were security concerns with that. I can add apiserver-etcd-client* in a PR if that is the route we are sticking with.

@stealthybox
Copy link
Member Author

@andrewrynhard do we rely on external etcd for self-hosted?
Is there a case where the self-hosted apiserver contacts an etcd static pod?
I was under the impression that we deprecated etcd-operator.

I know there's upgrade logic that modifies the static pod manifests for self-hosted -- we could ensure the cert is generated and mounted or just remove this option unless a user specifies an external etcd cert.

@andrewrynhard
Copy link
Contributor

@stealthybox sorry, I should have been more specific... this breaks self-hosting if StoreCertsInSecrets is set to true. When StoreCertsInSecrets is set to true, the certs in /etc/kubernetes/pki get stored as secrets in the cluster: https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/phases/selfhosting/selfhosting.go#L63-L73.

@stealthybox
Copy link
Member Author

I think I found the bug.

@stealthybox
Copy link
Member Author

At a minimum, we should add the apiserver client cert to getTLSKeyPairs().
uploadTLSSecrets() uses it to get the collection when features.StoreCertsInSecrets is enabled:

https://sourcegraph.com/github.com/kubernetes/kubernetes/-/blob/cmd/kubeadm/app/phases/selfhosting/selfhosting.go#L67:13

https://sourcegraph.com/github.com/kubernetes/kubernetes/-/blob/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go#L184:29

https://sourcegraph.com/github.com/kubernetes/kubernetes/-/blob/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go#L265:6

@stealthybox
Copy link
Member Author

@andrewrynhard
would you be willing to open an issue for this including the command and config that reproduces this bug?

I believe the patch should include something like this:

diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
index 627fb01f04..2446843c34 100644
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
@@ -279,6 +279,11 @@ func getTLSKeyPairs() []*tlsKeyPair {
                        cert: kubeadmconstants.APIServerKubeletClientCertName,
                        key:  kubeadmconstants.APIServerKubeletClientKeyName,
                },
+               {
+                       name: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
+                       cert: kubeadmconstants.APIServerEtcdClientCertName,
+                       key:  kubeadmconstants.APIServerEtcdClientKeyName,
+               },
                {
                        name: kubeadmconstants.ServiceAccountKeyBaseName,
                        cert: kubeadmconstants.ServiceAccountPublicKeyName,

Probably needs a test as well -- I can help review.

@stealthybox
Copy link
Member Author

We also need to add a matching &v1.ProjectedVolumeSource to apiServerCertificatesVolumeSource()

@andrewrynhard
Copy link
Contributor

@stealthybox I can create an issue once I’m back to the computer. First glance I think that patch is all we need.

@andrewrynhard
Copy link
Contributor

That patch and the projected volume

@andrewrynhard andrewrynhard mentioned this pull request Mar 18, 2018
Closed
@wojtek-t wojtek-t mentioned this pull request Apr 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiangpengzhao xiangpengzhao xiangpengzhao left review comments

@0xmichalis 0xmichalis 0xmichalis left review comments

@timothysc timothysc timothysc approved these changes

@dmmcquay dmmcquay Awaiting requested review from dmmcquay

@detiber detiber Awaiting requested review from detiber

Assignees

@detiber detiber

@dixudx dixudx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.10
Development

Successfully merging this pull request may close these issues.

Add separate CA for etcd certificates
9 participants
@stealthybox @timothysc @detiber @dixudx @k8s-ci-robot @xiangpengzhao @k8s-github-robot @andrewrynhard @0xmichalis