Merge pull request #111660 from pacoxu/key-encipherment-v1.26

Key encipherment usage v1.27
2025-07-21 02:41:25 +00:00 · 2023-01-04 15:51:57 -08:00 · 2023-01-04 15:51:57 -08:00 · 492637878f
commit 492637878f
parent 76e881d4d5 160f015ef4
9 changed files with 155 additions and 132 deletions
--- a/pkg/apis/certificates/helpers.go
+++ b/pkg/apis/certificates/helpers.go
@ -62,10 +62,10 @@ var (
 	)
 )

-func IsKubeletServingCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) bool {
-	return ValidateKubeletServingCSR(req, usages, allowOmittingUsageKeyEncipherment) == nil
+func IsKubeletServingCSR(req *x509.CertificateRequest, usages sets.String) bool {
+	return ValidateKubeletServingCSR(req, usages) == nil
 }
-func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) error {
+func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String) error {
 	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
 		return organizationNotSystemNodesErr
 	}
@ -82,15 +82,9 @@ func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String,
 		return uriSANNotAllowedErr
 	}

-	if allowOmittingUsageKeyEncipherment {
 	if !kubeletServingRequiredUsages.Equal(usages) && !kubeletServingRequiredUsagesNoRSA.Equal(usages) {
 		return fmt.Errorf("usages did not match %v", kubeletServingRequiredUsages.List())
 	}
-	} else {
-		if !kubeletServingRequiredUsages.Equal(usages) {
-			return fmt.Errorf("usages did not match %v", kubeletServingRequiredUsages.List())
-		}
-	}

 	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
 		return commonNameNotSystemNode
@ -111,10 +105,10 @@ var (
 	)
 )

-func IsKubeletClientCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) bool {
-	return ValidateKubeletClientCSR(req, usages, allowOmittingUsageKeyEncipherment) == nil
+func IsKubeletClientCSR(req *x509.CertificateRequest, usages sets.String) bool {
+	return ValidateKubeletClientCSR(req, usages) == nil
 }
-func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) error {
+func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String) error {
 	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
 		return organizationNotSystemNodesErr
 	}
@ -136,15 +130,9 @@ func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String,
 		return commonNameNotSystemNode
 	}

-	if allowOmittingUsageKeyEncipherment {
 	if !kubeletClientRequiredUsages.Equal(usages) && !kubeletClientRequiredUsagesNoRSA.Equal(usages) {
 		return fmt.Errorf("usages did not match %v", kubeletClientRequiredUsages.List())
 	}
-	} else {
-		if !kubeletClientRequiredUsages.Equal(usages) {
-			return fmt.Errorf("usages did not match %v", kubeletClientRequiredUsages.List())
-		}
-	}

 	return nil
 }
--- a/pkg/apis/certificates/v1beta1/defaults.go
+++ b/pkg/apis/certificates/v1beta1/defaults.go
@ -56,27 +56,27 @@ func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningReques
 		// Set the signerName to 'legacy-unknown' as the CSR could not be
 		// recognised.
 		return certificatesv1beta1.LegacyUnknownSignerName
-	case IsKubeletClientCSR(csr, obj.Usages, false):
+	case IsKubeletClientCSR(csr, obj.Usages):
 		return certificatesv1beta1.KubeAPIServerClientKubeletSignerName
-	case IsKubeletServingCSR(csr, obj.Usages, false):
+	case IsKubeletServingCSR(csr, obj.Usages):
 		return certificatesv1beta1.KubeletServingSignerName
 	default:
 		return certificatesv1beta1.LegacyUnknownSignerName
 	}
 }

-func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) bool {
-	return certificates.IsKubeletServingCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment)
+func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool {
+	return certificates.IsKubeletServingCSR(req, usagesToSet(usages))
 }
-func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) error {
-	return certificates.ValidateKubeletServingCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment)
+func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) error {
+	return certificates.ValidateKubeletServingCSR(req, usagesToSet(usages))
 }

-func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) bool {
-	return certificates.IsKubeletClientCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment)
+func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool {
+	return certificates.IsKubeletClientCSR(req, usagesToSet(usages))
 }
-func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) error {
-	return certificates.ValidateKubeletClientCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment)
+func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) error {
+	return certificates.ValidateKubeletClientCSR(req, usagesToSet(usages))
 }

 func usagesToSet(usages []certificatesv1beta1.KeyUsage) sets.String {
--- a/pkg/apis/certificates/v1beta1/defaults_test.go
+++ b/pkg/apis/certificates/v1beta1/defaults_test.go
@ -42,7 +42,6 @@ func TestIsKubeletServingCSR(t *testing.T) {
 	tests := map[string]struct {
 		req    *x509.CertificateRequest
 		usages []capi.KeyUsage
-		allowOmittingUsageKeyEncipherment bool
 		exp    bool
 	}{
 		"defaults for kubelet-serving": {
@ -50,16 +49,9 @@ func TestIsKubeletServingCSR(t *testing.T) {
 			usages: kubeletServerUsages,
 			exp:    true,
 		},
-		"defaults without key encipherment for kubelet-serving if allow omitting key encipherment": {
+		"defaults without key encipherment for kubelet-serving": {
 			req:    newCSR(kubeletServerPEMOptions),
 			usages: kubeletServerUsagesNoRSA,
-			allowOmittingUsageKeyEncipherment: true,
-			exp:                               true,
-		},
-		"defaults for kubelet-serving if allow omitting key encipherment": {
-			req:                               newCSR(kubeletServerPEMOptions),
-			usages:                            kubeletServerUsages,
-			allowOmittingUsageKeyEncipherment: true,
 			exp:    true,
 		},
 		"does not default to kube-apiserver-client-kubelet if org is not 'system:nodes'": {
@ -82,17 +74,6 @@ func TestIsKubeletServingCSR(t *testing.T) {
 			usages: kubeletServerUsages[1:],
 			exp:    false,
 		},
-		"does not default to kubelet-serving if it is missing an expected usage if allow omitting key encipherment": {
-			req:                               newCSR(kubeletServerPEMOptions),
-			usages:                            kubeletServerUsagesNoRSA[1:],
-			allowOmittingUsageKeyEncipherment: true,
-			exp:                               false,
-		},
-		"does not default to kubelet-serving if it is missing an expected usage withou key encipherment": {
-			req:    newCSR(kubeletServerPEMOptions),
-			usages: kubeletServerUsagesNoRSA,
-			exp:    false,
-		},
 		"does not default to kubelet-serving if it does not specify any dnsNames or ipAddresses": {
 			req:    newCSR(kubeletServerPEMOptions, pemOptions{ipAddresses: []net.IP{}, dnsNames: []string{}}),
 			usages: kubeletServerUsages[1:],
@ -111,7 +92,7 @@ func TestIsKubeletServingCSR(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			got := IsKubeletServingCSR(test.req, test.usages, test.allowOmittingUsageKeyEncipherment)
+			got := IsKubeletServingCSR(test.req, test.usages)
 			if test.exp != got {
 				t.Errorf("unexpected IsKubeletClientCSR output: exp=%v, got=%v", test.exp, got)
 			}
@ -131,7 +112,6 @@ func TestIsKubeletClientCSR(t *testing.T) {
 	tests := map[string]struct {
 		req    *x509.CertificateRequest
 		usages []capi.KeyUsage
-		allowOmittingUsageKeyEncipherment bool
 		exp    bool
 	}{
 		"defaults for kube-apiserver-client-kubelet": {
@ -182,25 +162,17 @@ func TestIsKubeletClientCSR(t *testing.T) {
 		"does not default to kube-apiserver-client-kubelet if it is missing an expected usage without key encipherment": {
 			req:    newCSR(kubeletClientPEMOptions),
 			usages: kubeletClientUsagesNoRSA[1:],
-			allowOmittingUsageKeyEncipherment: true,
 			exp:    false,
 		},
-		"default to kube-apiserver-client-kubelet with key encipherment": {
-			req:                               newCSR(kubeletClientPEMOptions),
-			usages:                            kubeletClientUsages,
-			allowOmittingUsageKeyEncipherment: true,
-			exp:                               true,
-		},
 		"default to kube-apiserver-client-kubelet without key encipherment": {
 			req:    newCSR(kubeletClientPEMOptions),
 			usages: kubeletClientUsagesNoRSA,
-			allowOmittingUsageKeyEncipherment: true,
 			exp:    true,
 		},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			got := IsKubeletClientCSR(test.req, test.usages, test.allowOmittingUsageKeyEncipherment)
+			got := IsKubeletClientCSR(test.req, test.usages)
 			if test.exp != got {
 				t.Errorf("unexpected IsKubeletClientCSR output: exp=%v, got=%v", test.exp, got)
 			}
--- a/pkg/controller/certificates/approver/sarapprove.go
+++ b/pkg/controller/certificates/approver/sarapprove.go
@ -152,7 +152,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 	if csr.Spec.SignerName != capi.KubeAPIServerClientKubeletSignerName {
 		return false
 	}
-	return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages), true)
+	return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages))
 }

 func isSelfNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
--- a/pkg/controller/certificates/signer/signer.go
+++ b/pkg/controller/certificates/signer/signer.go
@ -248,14 +248,14 @@ func isKubeletServing(req *x509.CertificateRequest, usages []capi.KeyUsage, sign
 	if signerName != capi.KubeletServingSignerName {
 		return false, nil
 	}
-	return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages), true)
+	return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages))
 }

 func isKubeletClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) {
 	if signerName != capi.KubeAPIServerClientKubeletSignerName {
 		return false, nil
 	}
-	return true, capihelper.ValidateKubeletClientCSR(req, usagesToSet(usages), true)
+	return true, capihelper.ValidateKubeletClientCSR(req, usagesToSet(usages))
 }

 func isKubeAPIServerClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) {
--- a/pkg/kubelet/certificate/bootstrap/bootstrap.go
+++ b/pkg/kubelet/certificate/bootstrap/bootstrap.go
@ -19,6 +19,7 @@ package bootstrap
 import (
 	"context"
 	"crypto"
+	"crypto/rsa"
 	"crypto/sha512"
 	"crypto/x509"
 	"crypto/x509/pkix"
@ -329,9 +330,11 @@ func requestNodeCertificate(ctx context.Context, client clientset.Interface, pri

 	usages := []certificatesv1.KeyUsage{
 		certificatesv1.UsageDigitalSignature,
-		certificatesv1.UsageKeyEncipherment,
 		certificatesv1.UsageClientAuth,
 	}
+	if _, ok := privateKey.(*rsa.PrivateKey); ok {
+		usages = append(usages, certificatesv1.UsageKeyEncipherment)
+	}

 	// The Signer interface contains the Public() method to get the public key.
 	signer, ok := privateKey.(crypto.Signer)
--- a/pkg/kubelet/certificate/kubelet.go
+++ b/pkg/kubelet/certificate/kubelet.go
@ -108,20 +108,7 @@ func NewKubeletServerCertificateManager(kubeClient clientset.Interface, kubeCfg
 		ClientsetFn:             clientsetFn,
 		GetTemplate:             getTemplate,
 		SignerName:              certificates.KubeletServingSignerName,
-		Usages: []certificates.KeyUsage{
-			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-			//
-			// Digital signature allows the certificate to be used to verify
-			// digital signatures used during TLS negotiation.
-			certificates.UsageDigitalSignature,
-			// KeyEncipherment allows the cert/key pair to be used to encrypt
-			// keys, including the symmetric keys negotiated during TLS setup
-			// and used for data transfer.
-			certificates.UsageKeyEncipherment,
-			// ServerAuth allows the cert to be used by a TLS server to
-			// authenticate itself to a TLS client.
-			certificates.UsageServerAuth,
-		},
+		GetUsages:               certificate.DefaultKubeletServingGetUsages,
 		CertificateStore:        certificateStore,
 		CertificateRotation:     certificateRotationAge,
 		CertificateRenewFailure: certificateRenewFailure,
@ -230,22 +217,7 @@ func NewKubeletClientCertificateManager(
 			},
 		},
 		SignerName: certificates.KubeAPIServerClientKubeletSignerName,
-		Usages: []certificates.KeyUsage{
-			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-			//
-			// DigitalSignature allows the certificate to be used to verify
-			// digital signatures including signatures used during TLS
-			// negotiation.
-			certificates.UsageDigitalSignature,
-			// KeyEncipherment allows the cert/key pair to be used to encrypt
-			// keys, including the symmetric keys negotiated during TLS setup
-			// and used for data transfer..
-			certificates.UsageKeyEncipherment,
-			// ClientAuth allows the cert to be used by a TLS client to
-			// authenticate itself to the TLS server.
-			certificates.UsageClientAuth,
-		},
-
+		GetUsages:  certificate.DefaultKubeletClientGetUsages,
 		// For backwards compatibility, the kubelet supports the ability to
 		// provide a higher privileged certificate as initial data that will
 		// then be rotated immediately. This code path is used by kubeadm on
--- a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
+++ b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
@ -21,9 +21,11 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	cryptorand "crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"reflect"
 	"sync"
@ -32,7 +34,7 @@ import (
 	"k8s.io/klog/v2"

 	certificates "k8s.io/api/certificates/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
@ -42,9 +44,76 @@ import (
 	"k8s.io/client-go/util/keyutil"
 )

-// certificateWaitTimeout controls the amount of time we wait for certificate
-// approval in one iteration.
-var certificateWaitTimeout = 15 * time.Minute
+var (
+	// certificateWaitTimeout controls the amount of time we wait for certificate
+	// approval in one iteration.
+	certificateWaitTimeout = 15 * time.Minute
+
+	kubeletServingUsagesWithEncipherment = []certificates.KeyUsage{
+		// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+		//
+		// Digital signature allows the certificate to be used to verify
+		// digital signatures used during TLS negotiation.
+		certificates.UsageDigitalSignature,
+		// KeyEncipherment allows the cert/key pair to be used to encrypt
+		// keys, including the symmetric keys negotiated during TLS setup
+		// and used for data transfer.
+		certificates.UsageKeyEncipherment,
+		// ServerAuth allows the cert to be used by a TLS server to
+		// authenticate itself to a TLS client.
+		certificates.UsageServerAuth,
+	}
+	kubeletServingUsagesNoEncipherment = []certificates.KeyUsage{
+		// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+		//
+		// Digital signature allows the certificate to be used to verify
+		// digital signatures used during TLS negotiation.
+		certificates.UsageDigitalSignature,
+		// ServerAuth allows the cert to be used by a TLS server to
+		// authenticate itself to a TLS client.
+		certificates.UsageServerAuth,
+	}
+	DefaultKubeletServingGetUsages = func(privateKey interface{}) []certificates.KeyUsage {
+		switch privateKey.(type) {
+		case *rsa.PrivateKey:
+			return kubeletServingUsagesWithEncipherment
+		default:
+			return kubeletServingUsagesNoEncipherment
+		}
+	}
+	kubeletClientUsagesWithEncipherment = []certificates.KeyUsage{
+		// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+		//
+		// Digital signature allows the certificate to be used to verify
+		// digital signatures used during TLS negotiation.
+		certificates.UsageDigitalSignature,
+		// KeyEncipherment allows the cert/key pair to be used to encrypt
+		// keys, including the symmetric keys negotiated during TLS setup
+		// and used for data transfer.
+		certificates.UsageKeyEncipherment,
+		// ClientAuth allows the cert to be used by a TLS client to
+		// authenticate itself to the TLS server.
+		certificates.UsageClientAuth,
+	}
+	kubeletClientUsagesNoEncipherment = []certificates.KeyUsage{
+		// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+		//
+		// Digital signature allows the certificate to be used to verify
+		// digital signatures used during TLS negotiation.
+		certificates.UsageDigitalSignature,
+		// ClientAuth allows the cert to be used by a TLS client to
+		// authenticate itself to the TLS server.
+		certificates.UsageClientAuth,
+	}
+	DefaultKubeletClientGetUsages = func(privateKey interface{}) []certificates.KeyUsage {
+		switch privateKey.(type) {
+		case *rsa.PrivateKey:
+			return kubeletClientUsagesWithEncipherment
+		default:
+			return kubeletClientUsagesNoEncipherment
+		}
+	}
+)

 // Manager maintains and updates the certificates in use by this certificate
 // manager. In the background it communicates with the API server to get new
@ -94,8 +163,12 @@ type Config struct {
 	// the issued certificate is not guaranteed as the signer may choose to ignore the request.
 	RequestedCertificateLifetime *time.Duration
 	// Usages is the types of usages that certificates generated by the manager
-	// can be used for.
+	// can be used for. It is mutually exclusive with GetUsages.
 	Usages []certificates.KeyUsage
+	// GetUsages is dynamic way to get the types of usages that certificates generated by the manager
+	// can be used for. If Usages is not nil, GetUsages has to be nil, vice versa.
+	// It is mutually exclusive with Usages.
+	GetUsages func(privateKey interface{}) []certificates.KeyUsage
 	// CertificateStore is a persistent store where the current cert/key is
 	// kept and future cert/key pairs will be persisted after they are
 	// generated.
@ -192,7 +265,7 @@ type manager struct {
 	dynamicTemplate              bool
 	signerName                   string
 	requestedCertificateLifetime *time.Duration
-	usages                       []certificates.KeyUsage
+	getUsages                    func(privateKey interface{}) []certificates.KeyUsage
 	forceRotation                bool

 	certStore Store
@ -235,6 +308,18 @@ func NewManager(config *Config) (Manager, error) {
 		getTemplate = func() *x509.CertificateRequest { return config.Template }
 	}

+	if config.GetUsages != nil && config.Usages != nil {
+		return nil, errors.New("cannot specify both GetUsages and Usages")
+	}
+	if config.GetUsages == nil && config.Usages == nil {
+		return nil, errors.New("either GetUsages or Usages should be specified")
+	}
+	var getUsages func(interface{}) []certificates.KeyUsage
+	if config.GetUsages != nil {
+		getUsages = config.GetUsages
+	} else {
+		getUsages = func(interface{}) []certificates.KeyUsage { return config.Usages }
+	}
 	m := manager{
 		stopCh:                       make(chan struct{}),
 		clientsetFn:                  config.ClientsetFn,
@ -242,7 +327,7 @@ func NewManager(config *Config) (Manager, error) {
 		dynamicTemplate:              config.GetTemplate != nil,
 		signerName:                   config.SignerName,
 		requestedCertificateLifetime: config.RequestedCertificateLifetime,
-		usages:                       config.Usages,
+		getUsages:                    getUsages,
 		certStore:                    config.CertificateStore,
 		cert:                         cert,
 		forceRotation:                forceRotation,
@ -256,8 +341,9 @@ func NewManager(config *Config) (Manager, error) {
 		name = m.signerName
 	}
 	if len(name) == 0 {
+		usages := getUsages(nil)
 		switch {
-		case hasKeyUsage(config.Usages, certificates.UsageClientAuth):
+		case hasKeyUsage(usages, certificates.UsageClientAuth):
 			name = string(certificates.UsageClientAuth)
 		default:
 			name = "certificate"
@ -416,7 +502,7 @@ func getCurrentCertificateOrBootstrap(
 	bootstrapCert.Leaf = certs[0]

 	if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {
-		utilruntime.HandleError(fmt.Errorf("Unable to set the cert/key pair to the bootstrap certificate: %v", err))
+		utilruntime.HandleError(fmt.Errorf("unable to set the cert/key pair to the bootstrap certificate: %v", err))
 	}

 	return &bootstrapCert, true, nil
@ -464,9 +550,14 @@ func (m *manager) rotateCerts() (bool, error) {
 		return false, nil
 	}

+	getUsages := m.getUsages
+	if m.getUsages == nil {
+		getUsages = DefaultKubeletClientGetUsages
+	}
+	usages := getUsages(privateKey)
 	// Call the Certificate Signing Request API to get a certificate for the
-	// new private key.
-	reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, m.usages, privateKey)
+	// new private key
+	reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, usages, privateKey)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("%s: Failed while requesting a signed certificate from the control plane: %v", m.name, err))
 		if m.certificateRenewFailure != nil {
@ -622,17 +713,17 @@ func (m *manager) updateServerError(err error) error {
 	m.certAccessLock.Lock()
 	defer m.certAccessLock.Unlock()
 	switch {
-	case errors.IsUnauthorized(err):
+	case apierrors.IsUnauthorized(err):
 		// SSL terminating proxies may report this error instead of the master
 		m.serverHealth = true
-	case errors.IsUnexpectedServerError(err):
+	case apierrors.IsUnexpectedServerError(err):
 		// generally indicates a proxy or other load balancer problem, rather than a problem coming
 		// from the master
 		m.serverHealth = false
 	default:
 		// Identify known errors that could be expected for a cert request that
 		// indicate everything is working normally
-		m.serverHealth = errors.IsNotFound(err) || errors.IsForbidden(err)
+		m.serverHealth = apierrors.IsNotFound(err) || apierrors.IsForbidden(err)
 	}
 	return nil
 }
--- a/staging/src/k8s.io/client-go/util/certificate/certificate_manager_test.go
+++ b/staging/src/k8s.io/client-go/util/certificate/certificate_manager_test.go
@ -276,7 +276,6 @@ func TestSetRotationDeadline(t *testing.T) {
 					},
 				},
 				getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
-				usages:      []certificatesv1.KeyUsage{},
 				now:         func() time.Time { return now },
 				logf:        t.Logf,
 			}
@ -472,7 +471,6 @@ func TestRotateCertCreateCSRError(t *testing.T) {
 			},
 		},
 		getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
-		usages:      []certificatesv1.KeyUsage{},
 		clientsetFn: func(_ *tls.Certificate) (clientset.Interface, error) {
 			return newClientset(fakeClient{failureType: createError}), nil
 		},
@ -497,7 +495,6 @@ func TestRotateCertWaitingForResultError(t *testing.T) {
 			},
 		},
 		getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
-		usages:      []certificatesv1.KeyUsage{},
 		clientsetFn: func(_ *tls.Certificate) (clientset.Interface, error) {
 			return newClientset(fakeClient{failureType: watchError}), nil
 		},