Comments (4)
From API version certificates.k8s.io/v1 onwards signerName is a required key for CSR's(certificate signing requests) and also they have made multiple built in signers for specific purposes which are supposed to be used for only k8s internal services.
Below are the few options which can be considered :
- Use k8s internal kubelet-serving signer to sign nri webhook certificate, by making changes to the certificate request as required by that signer(like common name start with system:node etc).
- Use custom signers like cert-manager(https://cert-manager.io/).
- Use self signed certificate.
But all the above options have some disadvantages Option1: we would be using signer of kubelet Option2:Cert manager's support for k8s csr API is currently experimental and also this would add an additional dependency Option3:Is not normally used in production(but since it's all in cluster should this be ok?).
from network-resources-injector.
some more info on the deprecation:
https://kubernetes.io/docs/reference/using-api/deprecation-guide/#certificatesigningrequest-v122
https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
info on K8s CSR and Signers:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#signers
Additional info on webhook tls cert:
https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/#tls-certificates
Naive question, in V1Beta who would issue the certificate ? (as signer name was not provided)
from network-resources-injector.
Summary from today's discussion about this issue
Today, NRI supports either providing a signed certificate from an external source using tls-cert-file
, tls-private-key-file
or by generating a certificate request and signing it using k8s signer via k8s certificates/v1beta1 API CertificateSigningRequest object (self approved by NRI).
The latter is no longer available in Kubernetes 1.22.
in k8s certificates/v1 a signer need to be provided.
see: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
Kubernetes provides built-in signers however it seems that none of them fit the bill.
Specifically the only candidate to be used as a signer is kubernetes.io/kubelet-serving
however it seems its only used to sign certificates intended to be used for kubelet serving endpoints that belong to system:nodes
organization. This is not really what we need.
It is desirable to still have a way to generate a signed certificate without the need to create, sign and manage it out of band.
The proposal is to create a self signed certificate and use it in MutatingWebhookConfiguration
instead of current mechanism.
Since requests are only served from within the cluster (no request from external network) this seems like a good path forward.
later on, if there is a use-case for it, we can revisit support for certificates/v1 CertificateSigningRequest with a custom signer.
e.g using cert-manager CertificateSigningRequest which is experimental at this point.
If we move forward with this proposal, I suggest the old code which uses certificates/v1beta1 to be removed and self signed certificates to be used instead.
@zshi-redhat do you see issues with this proposal ?
for downstream I assume you are using externally managed certificates.
IMHO this is a good path forward to have a good "out of the box" experience of NRI.
from network-resources-injector.
@zshi-redhat do you see issues with this proposal ?
This proposal sounds good to me, I don't see issues.
for downstream I assume you are using externally managed certificates.
We use a dedicated operator to manage the certificate signing activities downstream: https://github.com/openshift/service-ca-operator.
IMHO this is a good path forward to have a good "out of the box" experience of NRI.
Agreed
from network-resources-injector.
Related Issues (20)
- resource not injected in a large K8s cluster HOT 7
- Add stable tag for network resource injector container
- Release network-resources-injector v1.3 HOT 5
- Create a Deployment yaml for network-resource-injector
- Add Helm Chart
- NRI pod restart not handled HOT 3
- Health check for webhook server
- Release of Network resources injector HOT 3
- Too wide permissions given to service accounts
- CI lane is not able to finish the kind deployment HOT 2
- Help understanding webhook client certificates
- 'User Defined Injections' feature is missing access rights to configmap HOT 2
- 'User defined injections' feature does not react on ConfigMap remove HOT 1
- 'User defined injections' feature removes defined network annotations HOT 2
- create new release HOT 4
- User Defined Injections - does not take into account json path operation HOT 2
- User Defined Injections - injects only one property
- Can Network-Resources-Injector(NRI) to be deployed as a deployment HOT 2
- Resources limit and requests are added only to first container inside POD HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from network-resources-injector.