kubelet: add setting for configuring serverTLSBootstrap #1485
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
etungsten
commented
Apr 14, 2021
sources/api/migration/migrations/v1.1.0/kubelet-server-tls-bootstrap/src/main.rs
Outdated
Show resolved
Hide resolved
zmrow
reviewed
Apr 14, 2021
README.md
Outdated
| @@ -309,6 +309,7 @@ The following settings are optional and allow you to further configure your clus | |||
| * `settings.kubernetes.cluster-domain`: The DNS domain for this cluster, allowing all Kubernetes-run containers to search this domain before the host's search domains. Defaults to `cluster.local`. | |||
| * `settings.kubernetes.standalone-mode`: Whether to run the kubelet in standalone mode, without connecting to an API server. Defaults to `false`. | |||
| * `settings.kubernetes.authentication-mode`: Which authentication method the kubelet should use to connect to the API server, and for incoming requests. Defaults to `aws` for AWS variants, and `tls` for other variants. | |||
| * `settings.kubernetes.server-tls-bootstrap`: Whether to enable server certificate bootstrap. When enabled, the kubelet will request a certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests (CSR). Defaults to `true`. | |||
There was a problem hiding this comment.
Nit: might be clearer to say "Enables or disables server certificate bootstrap. When enabled, ..."
etungsten
force-pushed
the
configurable-tls-bootstrap
branch
from
388c8a3
to
72a36cb
Compare
|
Push above addresses @zmrow 's comment. Fixes wording in README. |
|
Updated testing description to show that when |
etungsten
force-pushed
the
configurable-tls-bootstrap
branch
from
72a36cb
to
ea0f099
Compare
|
Push above fixes a typo. |
bcressey
approved these changes
Apr 15, 2021
webern
approved these changes
Apr 15, 2021
Adds a new setting `kubernetes.server-tls-bootstrap` for configuring whether to enable server certificate bootstrap for the kubelet.
Adds a migration for the new `kubernetes.server-tls-bootstrap` setting.
etungsten
force-pushed
the
configurable-tls-bootstrap
branch
from
ea0f099
to
f44185b
Compare
|
Push above rebases onto develop and fixes conflicts. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
Fixes #1467
Description of changes:
Testing done:
Built x86 aws-k8s-1.19 image and launched instance with said image. Was able to toggle
kubernetes.server-tls-bootstrapsetting and see kubelet-config update accordingly, kubelet was able to restart successfully after each settings change. Node is still ready and can still run pods.Launching the instance with userdata that sets
kubernetes.server-tls-bootstraptofalsealso works. The node comes up fine and can run pods.When the instance is launched with
kubernetes.server-tls-bootstraptofalse.kubectl get csrdoes not show any CSRs from the launched node. When I toggle the setting to true,kubectl get csrshows the node requesting a new CSR.When the instance is launched with
kubernetes.server-tls-bootstraptotrue.kubectl get csrdoes show a CSR from the launched node.Tested migration by upgrading from the release image to the image with the setting and saw that I was able to toggle the new setting as expected. Downgraded back to the release version and the setting no longer exists as expected and
serverTLSBootstrapis set to true by default as expected.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.