mirror of https://github.com/k3s-io/k3s
5cff6c9091
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities **What this PR does / why we need it**: On `kubeadm init`/`kubeadm upgrade`, this PR generates an etcd specific CA for signing the following certs: - etcd serving cert - etcd peer cert - apiserver etcd client cert These certs were previously signed by the kubernetes CA. The etcd static pod in `local.go` has also been updated to only mount the `/etcd` subdir of `cfg.CertificatesDir`. New phase command: ``` kubeadm alpha phase certs etcd-ca ``` See the linked issue for details on why this change is an important security feature. **Which issue(s) this PR fixes** Fixes https://github.com/kubernetes/kubeadm/issues/710 **Special notes for your reviewer**: #### on the master this should still fail: ```bash curl localhost:2379/v2/keys # no output curl --cacert /etc/kubernetes/pki/etcd/ca.crt https://localhost:2379/v2/keys # handshake error ``` this should now fail: (previously would succeed) ``` cd /etc/kubernetes/pki curl --cacert etcd/ca.crt --cert apiserver-kubelet-client.crt --key apiserver-kubelet-client.key https://localhost:2379/v2/keys # curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate ``` this should still succeed: ``` cd /etc/kubernetes/pki curl --cacert etcd/ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys ``` **Release note**: ```release-note On cluster provision or upgrade, kubeadm generates an etcd specific CA for all etcd related certificates. ``` |
||
|---|---|---|
| .. | ||
| app | ||
| test | ||
| BUILD | ||
| OWNERS | ||
| kubeadm.go | ||