github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
46f05b0c2bc1535ba432f7ea83d9861c01799798
kubernetes/cmd
History
Kubernetes Submit Queue 5cff6c9091 Merge pull request #60385 from stealthybox/feature/kubeadm_710-etcd-ca 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities

**What this PR does / why we need it**:
On `kubeadm init`/`kubeadm upgrade`, this PR generates an etcd specific CA for signing the following certs:
- etcd serving cert
- etcd peer cert
- apiserver etcd client cert

These certs were previously signed by the kubernetes CA.
The etcd static pod in `local.go` has also been updated to only mount the `/etcd` subdir of `cfg.CertificatesDir`.

New phase command:
```
kubeadm alpha phase certs etcd-ca
```

See the linked issue for details on why this change is an important security feature.

**Which issue(s) this PR fixes**
Fixes https://github.com/kubernetes/kubeadm/issues/710

**Special notes for your reviewer**:

#### on the master
this should still fail:
```bash
curl localhost:2379/v2/keys  # no output
curl --cacert /etc/kubernetes/pki/etcd/ca.crt https://localhost:2379/v2/keys  # handshake error
```
this should now fail: (previously would succeed)
```
cd /etc/kubernetes/pki
curl --cacert etcd/ca.crt --cert apiserver-kubelet-client.crt --key apiserver-kubelet-client.key https://localhost:2379/v2/keys
  # curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
```
this should still succeed:
```
cd /etc/kubernetes/pki
curl --cacert etcd/ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys
```

**Release note**:
```release-note
On cluster provision or upgrade, kubeadm generates an etcd specific CA for all etcd related certificates.
```
2018-03-01 02:03:58 -08:00
..
clicheck
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
cloud-controller-manager
Merge pull request #60291 from hzxuzhonghu/cloud-cm-use-healthz
2018-02-28 03:37:37 -08:00
controller-manager
run update bazel
2018-02-28 17:25:03 +08:00
gendocs
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
genkubedocs
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
genman
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
genswaggertypedocs
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
genutils
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
genyaml
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
hyperkube
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
importverifier
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
kube-apiserver
implement token authenticator for new id tokens
2018-02-27 17:20:46 -08:00
kube-controller-manager
Merge pull request #60291 from hzxuzhonghu/cloud-cm-use-healthz
2018-02-28 03:37:37 -08:00
kube-proxy
Move linux-only getProxyMode tests to a linux-only file.
2018-02-27 13:53:32 -08:00
kube-scheduler
Temporary fix for LeaderElect for kube-scheduler
2018-02-27 21:20:47 +00:00
kubeadm
Merge pull request #60385 from stealthybox/feature/kubeadm_710-etcd-ca
2018-03-01 02:03:58 -08:00
kubectl
auth: reregister auth providers
2018-02-26 09:08:41 -08:00
kubelet
Merge pull request #60314 from mtaufen/kubelet-manifest-is-oldspeak
2018-02-24 20:01:46 -08:00
kubemark
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
linkcheck
Autogenerated: hack/update-bazel.sh
2018-02-16 13:43:01 -08:00
BUILD
gke-certificates-controller: rm -rf
2018-02-15 12:01:00 -08:00
OWNERS
Updated top level owners file to match new format
2017-01-19 11:29:16 -08:00