github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg/daemons/control
History
Siegfried Weber e77fd18270 Sign CSRs for kubelet-serving with the server CA 
Problem:
Only the client CA is passed to the kube-controller-manager and
therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are
signed with the client CA. Serving certificates must be signed with the
server CA otherwise e.g. "kubectl logs" fails with the error message
"x509: certificate signed by unknown authority".

Solution:
Instead of providing only one CA via the kube-controller-manager
parameter "--cluster-signing-cert-file", the corresponding CA for every
signer is set with the parameters
"--cluster-signing-kube-apiserver-client-cert-file",
"--cluster-signing-kubelet-client-cert-file",
"--cluster-signing-kubelet-serving-cert-file", and
"--cluster-signing-legacy-unknown-cert-file".

Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>
 		2021-05-05 15:59:57 -07:00
..
deps Use same SANs on ServingKubeAPICert as dynamiclistener 2021-04-28 09:58:19 -07:00
auth.go Move basic authentication to k3s 2020-08-28 17:18:34 -07:00
server.go Sign CSRs for kubelet-serving with the server CA 2021-05-05 15:59:57 -07:00
tunnel.go If tunnel session does not exist fallback to default dialer 2020-01-22 11:04:41 -07:00