github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-06 11:42:14 +00:00
Code Issues Projects Releases Wiki Activity

Update documents properly

Browse Source
This commit is contained in:
George Tankersley
2016-02-03 14:28:06 -08:00
parent c47d49dd3e
commit c553c5b575
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
docs/proposals/kubelet-tls-bootstrap.md
View File

@@ -1,12 +1,44 @@
<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->
<!-- BEGIN STRIP_FOR_RELEASE -->
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
width="25" height="25">
<h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>
If you are using a released version of Kubernetes, you should
refer to the docs that go with that version.
Documentation for other releases can be found at
[releases.k8s.io](http://releases.k8s.io).
</strong>
--
<!-- END STRIP_FOR_RELEASE -->
<!-- END MUNGE: UNVERSIONED_WARNING -->
# Kubelet TLS bootstrap # Kubelet TLS bootstrap
Author: George Tankersley (george.tankersley@coreos.com) Author: George Tankersley (george.tankersley@coreos.com)
## Preface ## Preface
This document describes a method for a kubelet to bootstrap itself This document describes a method for a kubelet to bootstrap itself
into a TLS-secured cluster. Crucially, it automates the provision and into a TLS-secured cluster. Crucially, it automates the provision and
distribution of signed certificates. distribution of signed certificates.
## Overview ## Overview
When a kubelet runs for the first time, it must be given TLS assets When a kubelet runs for the first time, it must be given TLS assets
or generate them itself. In the first case, this is a burden on the cluster or generate them itself. In the first case, this is a burden on the cluster
admin and a significant logistical barrier to secure Kubernetes rollouts. In admin and a significant logistical barrier to secure Kubernetes rollouts. In
@@ -16,6 +48,7 @@ private key and a CSR for submission to a cluster-level certificate signing
process. process.
## Preliminaries ## Preliminaries
We assume the existence of a functioning control plane. The We assume the existence of a functioning control plane. The
apiserver should be configured for TLS initially or possess the ability to apiserver should be configured for TLS initially or possess the ability to
generate valid TLS credentials for itself. If secret information is passed in generate valid TLS credentials for itself. If secret information is passed in
@@ -33,7 +66,9 @@ These should not change often and are thus simple to include in a static
provisioning script. provisioning script.
## API Changes ## API Changes
### CertificateSigningRequest Object ### CertificateSigningRequest Object
We introduce a new API object to represent PKCS#10 certificate signing We introduce a new API object to represent PKCS#10 certificate signing
requests. It will be accessible under: requests. It will be accessible under:
@@ -102,6 +137,7 @@ type CertificateSigningRequestList struct {
## Certificate Request Process ## Certificate Request Process
### Node intialization ### Node intialization
When the kubelet executes it checks a location on disk for TLS assets When the kubelet executes it checks a location on disk for TLS assets
(currently `/var/run/kubernetes/kubelet.{key,crt}` by default). If it finds (currently `/var/run/kubernetes/kubelet.{key,crt}` by default). If it finds
them, it proceeds. If there are no TLS assets, the kubelet generates a keypair them, it proceeds. If there are no TLS assets, the kubelet generates a keypair
@@ -115,6 +151,7 @@ and self-signed certificate. We propose the following optional fallback behavior
4. Set a watch on the CSR object to be notified of approval or rejection. 4. Set a watch on the CSR object to be notified of approval or rejection.
### Controller response ### Controller response
The apiserver must first validate the signature on the raw CSR data and reject The apiserver must first validate the signature on the raw CSR data and reject
requests featuring invalid CSRs. It then persists the requests featuring invalid CSRs. It then persists the
CertificateSigningRequests and exposes the List of all CSRs for an CertificateSigningRequests and exposes the List of all CSRs for an
@@ -125,6 +162,7 @@ generate and sign the certificate, then update the
CertificateSigningRequestStatus with the new data. CertificateSigningRequestStatus with the new data.
### Manual CSR approval ### Manual CSR approval
An administrator using `kubectl` or another API client can query the An administrator using `kubectl` or another API client can query the
CertificateSigningRequestList and update the status of CertificateSigningRequestList and update the status of
CertificateSigningRequests. The default Status is Unknown, indicating that CertificateSigningRequests. The default Status is Unknown, indicating that
@@ -134,6 +172,7 @@ Status of False indicates that the admin has denied the request. An admin may
also supply Reason and Message fields to explain the rejection. also supply Reason and Message fields to explain the rejection.
## kube-apiserver support (CA assets) ## kube-apiserver support (CA assets)
So that the apiserver can handle certificate issuance on its own, it will need So that the apiserver can handle certificate issuance on its own, it will need
access to CA signing assets. This could be as simple as a private key and a access to CA signing assets. This could be as simple as a private key and a
config file or as complex as a PKCS#11 client and supplementary policy system. config file or as complex as a PKCS#11 client and supplementary policy system.
@@ -141,6 +180,7 @@ For now, we will add flags for a signing key, a certificate, and a basic config
file. file.
## kubectl support ## kubectl support
To support manual CSR inspection and approval, we will add support for listing, To support manual CSR inspection and approval, we will add support for listing,
inspecting, and approving/rejecting CertificateSigningRequests to kubectl. The inspecting, and approving/rejecting CertificateSigningRequests to kubectl. The
interface will be similar to interface will be similar to
@@ -159,12 +199,14 @@ able to supply Reason and Message fields via additional flags.
## Security Considerations ## Security Considerations
### Endpoint Access Control ### Endpoint Access Control
The ability to post CSRs to the signing endpoint should be controlled. As a The ability to post CSRs to the signing endpoint should be controlled. As a
simple solution we propose that each node be provisioned with an auth token simple solution we propose that each node be provisioned with an auth token
(possibly static across the cluster) that is scoped via ABAC to only allow (possibly static across the cluster) that is scoped via ABAC to only allow
access to the CSR endpoint. access to the CSR endpoint.
### Expiration & Revocation ### Expiration & Revocation
The node is responsible for monitoring its own certificate expiration date. The node is responsible for monitoring its own certificate expiration date.
When the certificate is close to expiration, the kubelet should begin repeating When the certificate is close to expiration, the kubelet should begin repeating
this flow until it successfully obtains a new certificate. If the expiring this flow until it successfully obtains a new certificate. If the expiring
@@ -178,6 +220,12 @@ the future it may make sense to add CRL support to the apiserver's client cert
auth. auth.
## Future Work ## Future Work
- revocation UI in kubectl and CRL support at the apiserver - revocation UI in kubectl and CRL support at the apiserver
- supplemental policy (e.g. cluster CA only issues 30-day certs for hostnames *.k8s.example.com, each new cert must have fresh keys, ...) - supplemental policy (e.g. cluster CA only issues 30-day certs for hostnames *.k8s.example.com, each new cert must have fresh keys, ...)
- fully automated provisioning (using a handshake protocol or external list of authorized machines) - fully automated provisioning (using a handshake protocol or external list of authorized machines)
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/proposals/kubelet-tls-bootstrap.md?pixel)]()
<!-- END MUNGE: GENERATED_ANALYTICS -->