-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating separate CAs for client and server certificates #2586
Comments
@chrisnegus: This issue is currently awaiting triage. SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hi, you can close this issue and log the same issue in kubernetes/kubeadm for tracking. |
/transfer kubeadm Is that OK? |
/retitle Creating separate CAs for client and server certificates @chrisnegus would you be willing to tweak this issue now it's logged against kubeadm? The description is now slightly out (through no fault of your own). |
/kind feature |
thanks for transferring the issue @sftim we can keep this tracked here, but i also wanted to note that i have hopes that certificate revocation will be supported one day, which is a much desired feature in general. |
@neolit123 @sftim Thanks for following up with this. I would be happy to help if some writing assistance is needed with this. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
edit: neolit123
This is a Feature Request
A suggestion was made by @deads2k in PR26837 to update kubeadm docs to suggest separating client and server CAs:
If I were choosing one thing to tweak about kubeadm's certificate generation overall, I would suggest splitting the CA that signs serving certificates from the CA that signs client certificates. Since we lack individual certificate revocation and the few servers are less likely to expose their cert/key pairs than the many clients, separating the two allows for less disruption if a CA needs to stop being trusted.
What would you like to be added
Add two separate CAs for signing server and client certificates in kubeadm deployments.
Update documentation describing suggesting that separate CAs be used. The information could go on the PKI certificates and requirements page), but it could also go on other kubeadm initialization docs.
Why is this needed
This practice could result in less disruption of only one of the two CAs needs to stop being trusted.
The text was updated successfully, but these errors were encountered: