Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClusterTrustBundles: Add section to certificates page #40065

Closed
wants to merge 1 commit into from
Closed

ClusterTrustBundles: Add section to certificates page #40065

wants to merge 1 commit into from

Conversation

ahmedtd
Copy link
Contributor

@ahmedtd ahmedtd commented Mar 16, 2023

ClusterTrustBundles are a new alpha API type landing in Kubernetes 1.27.

@k8s-ci-robot k8s-ci-robot added this to the 1.27 milestone Mar 16, 2023
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 16, 2023
@k8s-ci-robot k8s-ci-robot requested review from enj and munnerz March 16, 2023 20:06
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign reylejano for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 16, 2023
@ahmedtd ahmedtd mentioned this pull request Mar 16, 2023
Open
14 tasks
@liggitt
Copy link
Member

liggitt commented Mar 21, 2023

/sig auth

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Mar 21, 2023
@liggitt
Copy link
Member

liggitt commented Mar 21, 2023

/assign

@ahmedtd
ClusterTrustBundles: Add section to certificates page
5cd243d 
Document the API types as they exist today, plus a hint of the future
integrations that will be available.
@ahmedtd ahmedtd force-pushed the cluster-trust-bundles branch from ff1d663 to 5cd243d Compare March 21, 2023 17:34
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 21, 2023
@ahmedtd ahmedtd marked this pull request as ready for review March 21, 2023 20:26
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 21, 2023
liggitt
liggitt reviewed Mar 21, 2023
View reviewed changes
content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
{{< feature-state for_k8s_version="v1.27" state="alpha" >}}

{{< note >}}
Gated by the `ClusterTrustBundles` feature gate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Gated by the `ClusterTrustBundles` feature gate.
Use of this feature requires the `ClusterTrustBundle` feature gate to be enabled in `kube-apiserver` and the alpha API to be enabled with `--runtime-config=certificates.k8s.io/v1alpha1/certificatetrustbundles=true`.

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
Comment on lines +474 to +475
Future Kubernetes releases will build on them with integrations like the ability
to project their contents into the pod filesystem.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

avoid forward looking statements here, just document what exists and is usable today

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
Comment on lines +487 to +488
rejected during object validation, or filtered by consumers of the object
(primarily Kubelet). Additionally, consumers will reorder the certificates in
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
rejected during object validation, or filtered by consumers of the object
(primarily Kubelet). Additionally, consumers will reorder the certificates in
rejected during object validation, or can be ignored by consumers of the object.
Additionally, consumers are allowed to reorder the certificates in

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
the bundle with their own arbitrary but stable ordering.

ClusterTrustBundle objects should be considered world-readable within the
cluster. All serviceaccounts have a default RBAC grant to get, list, and watch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cluster. All serviceaccounts have a default RBAC grant to get, list, and watch
cluster. All service accounts have a default RBAC grant to get, list, and watch

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
Comment on lines +522 to +525
Signer-linked ClusterTrustBundles will be consumed in workloads by a combination
of field selector on the signer name and a label selector. If this query
matches multiple ClusterTrustBundle objects, their contents will be merged,
deduplicated, and sorted before being provided to the workload.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

drop the bits referring to projected volumes for now, limit this to documenting the spec.signerName field selector for this release

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
metadata:
name: foo
spec:
signerName: ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe a comment rather than explicitly setting an empty field?

Suggested change
signerName: ""
# no signerName specified

@tengqm
Copy link
Contributor

tengqm commented Mar 31, 2023

@ahmedtd Mind give this another stab?

@nate-double-u
Copy link
Contributor

Hi @ahmedtd, April 4 (today) is the release 1.27 Docs complete — All PRs reviewed and ready to merge date. It looks like @liggitt has provided a lot of feedback. Could you update the PR to prepare it for merge?

@sftim sftim mentioned this pull request Apr 9, 2023
Merged
@mickeyboxell
Copy link
Contributor

Closing this PR as the work will be shifted over to #40578.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@enj enj Awaiting requested review from enj

@munnerz munnerz Awaiting requested review from munnerz

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@liggitt liggitt

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
1.27
Development

Successfully merging this pull request may close these issues.
6 participants
@ahmedtd @k8s-ci-robot @liggitt @tengqm @nate-double-u @mickeyboxell