Document requirements/recommended process for updating cluster TLS certs/keys #30575
Comments
|
@kelseyhightower Do you know how folks normally figure this out? |
|
I just had to go through this process more or less manually, and learned that restarting the kubelet does not restart any k8s master components that were launched by static manifests the kubelet is observing. In order to get kube-apiserver to restart and pickup the new TLS credentials, I had to move the kube-apiserver manifest out of the directory kubelet was watching, restart kubelet, then move the manifest back in and restart the kubelet again. This definitely needs to be documented. Hopefully there is a better way of telling the kubelet to restart the master components, too. If not, there really should be. |
|
Would a maintainer please bring a Kubernetes developer who can answer this into the conversation? Not having a way to restart the kube-system components to pick up TLS credential changes is a blocking issue for my team to roll out Kubernetes in production. Thanks! |
|
Comment from chancez on Slack which helps with a workaround for the time being:
|
|
I just had to re-make my cert and deploy it to all the nodes. These are my notes:
|
|
steps 3 and 4 are not required if you keep the old key as an additional valid public key (can pass multiple |
|
Thanks for the heads up. I forgot to mention that my setup isn't a production system but Kelsey's https://github.com/kelseyhightower/kubernetes-the-hard-way. The cluster in this tutorial uses one cert to rule them all. |
|
/sig docs |
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
Clearly this is a still-existing problem, and it is really something that needs to be addressed minimally in documentation, ideally even in code. |
|
This is major blocker for us to run Kubernetes into production. Any advice would be much appreciated! I already tried to simulate a certificate rotation in a test environment and couldn't do so without causing downtime for running applications. /remove-lifecycle stale |
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
/remove-lifecycle rotten |
|
@trunet: you can't re-open an issue/PR unless you authored it or you are assigned to it. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@sftim: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@jimmycuadra: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/transfer website |
k8s-ci-robot
added
the
needs-triage
|
/language en |
|
@sftim: Those labels are not set on the issue: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
sig/security
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
|
/kind feature |
k8s-ci-robot
added
triage/accepted
|
/assign @aramase |
|
Hello @aramase : Please may we have an update on whether this is being progressed at the moment and if you have any updates? |
|
This appears to have been completed in 92b56db and could be closed? |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
Ah my bad - I am still working on this, but slowly. Will aim to get a PR ready by end of this week. /remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
|
Slightly relevant to #39694 |
|
@tomkivlin, you made a start on this. How did that go? |
|
FYI my work so far (that I'd pushed) is here: https://github.com/tomkivlin/website/blob/tomkivlin/issue14725/content/en/docs/concepts/security/kubernetes-encryption.md |
|
/assign |
|
Duplicated by (part of) #42258 |
|
Anyone who'd like to help with this issue is very welcome to work on it. |
|
/priority important-longterm |
k8s-ci-robot
added
the
priority/important-longterm
|
Help is (still) welcome |
If you're running Kubernetes with the master components secured with TLS, eventually you will need to update the certificate and key, and possibly even the CA cert. Right now there is no documentation about how this should be approached. What services need to be restarted when the CA cert, endpoint cert, or private key are changed on disk? If all the master components are running via the kubelet's static manifest directory, is it sufficient to just restart kubelet on the host? Or is it necessary to somehow manually restart each containerized master component that reads those files?
The text was updated successfully, but these errors were encountered: