Thanks for your pull request. It looks like this may be your first contribution to a Google open source project, in which case you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please let us know the company's name.

@smarterclayton ptal

NodeAddresses contains a list of hostname(s) and IP addresses (internal and public). Do we need an entry there or other field in Node that indicates the name/address used for the TLS cert? See also #6419.

cc @roberthbailey

@bgrant0607 I would think that at the very least the node name would be included in the TLS cert correct?

@csrwng You can provide any cert you want for the kubelet (in which case you can choose to include the node name or not, but I would think any sane deployment would want to include it) or if you get the default self signed cert (see https://github.com/GoogleCloudPlatform/kubernetes/blob/master/cmd/kubelet/app/server.go#L249) we use the host name (possibly overridden by the command line flag) as the CN in the cert.

@cjcullen

CJ and I were talking this morning and we think that we don't want to rely on the node names being resolvable via DNS into IP addresses. An admin should be able to configure nodes with whatever name they want and the apiserver should still be able to connect to it. The node should also provide a resolvable name and/or reachable IP address to the apiserver when it registers.

cc @deads2k

@roberthbailey - should then the node have an additional field specifying which hosts or ips are accepted by its certificate?

I had actually proposed having the node give it's certificate to the master when it registered itself, but was convinced it was unnecessary. This would be a simple way of telling the master which hosts or ips are accepted though.

cc @erictune

@erictune - any comments? This change is simply to switch from using the node ip to the host name for a pod's subresources.

@csrwng A few of us talked this morning and I think I will end up adding a field to the NodeAddress that lets the apiserver know whether each address in the array is included in the node's TLS certificate. Then we can more intelligently pick which address to use to connect to a node.

LGTM.

@roberthbailey any problem with this going in while you sort out the new NodeAddress fields?

Nope.

I see a LGTM - any other comments? Otherwise will merge.

Merging.