Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubelet: add setting for configuring serverTLSBootstrap #1485

Merged
merged 2 commits into from
Apr 15, 2021
Merged

kubelet: add setting for configuring serverTLSBootstrap #1485

merged 2 commits into from
Apr 15, 2021

Conversation

etungsten
Copy link
Contributor

@etungsten etungsten commented Apr 13, 2021
edited
Loading

Issue number:
Fixes #1467

Description of changes:

Author: Erikson Tung <etung@amazon.com>
Date:   Tue Apr 13 13:58:05 2021 -0700

    migrations: add migration for adding `kubernetes.server-tls-bootstrap`
    
    Adds a migration for the new `kubernetes.server-tls-bootstrap` setting.


Author: Erikson Tung <etung@amazon.com>
Date:   Tue Apr 13 13:40:59 2021 -0700

    k8s: add setting for configuring serverTLSBootstrap
    
    Adds a new setting `kubernetes.server-tls-bootstrap` for configuring
    whether to enable server certificate bootstrap for the kubelet.

Testing done:
Built x86 aws-k8s-1.19 image and launched instance with said image. Was able to toggle kubernetes.server-tls-bootstrap setting and see kubelet-config update accordingly, kubelet was able to restart successfully after each settings change. Node is still ready and can still run pods.

Launching the instance with userdata that sets kubernetes.server-tls-bootstrap to false also works. The node comes up fine and can run pods.

When the instance is launched with kubernetes.server-tls-bootstrap to false. kubectl get csr does not show any CSRs from the launched node. When I toggle the setting to true, kubectl get csr shows the node requesting a new CSR.

When the instance is launched with kubernetes.server-tls-bootstrap to true. kubectl get csr does show a CSR from the launched node.

Tested migration by upgrading from the release image to the image with the setting and saw that I was able to toggle the new setting as expected. Downgraded back to the release version and the setting no longer exists as expected and serverTLSBootstrap is set to true by default as expected.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@etungsten etungsten requested review from bcressey and zmrow April 13, 2021 22:57
zmrow
zmrow reviewed Apr 14, 2021
View reviewed changes
README.md Outdated
@@ -309,6 +309,7 @@ The following settings are optional and allow you to further configure your clus
* `settings.kubernetes.cluster-domain`: The DNS domain for this cluster, allowing all Kubernetes-run containers to search this domain before the host's search domains. Defaults to `cluster.local`.
* `settings.kubernetes.standalone-mode`: Whether to run the kubelet in standalone mode, without connecting to an API server. Defaults to `false`.
* `settings.kubernetes.authentication-mode`: Which authentication method the kubelet should use to connect to the API server, and for incoming requests. Defaults to `aws` for AWS variants, and `tls` for other variants.
* `settings.kubernetes.server-tls-bootstrap`: Whether to enable server certificate bootstrap. When enabled, the kubelet will request a certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests (CSR). Defaults to `true`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: might be clearer to say "Enables or disables server certificate bootstrap. When enabled, ..."

@etungsten etungsten force-pushed the configurable-tls-bootstrap branch from 388c8a3 to 72a36cb Compare April 15, 2021 16:17
@etungsten
Copy link
Contributor Author

Push above addresses @zmrow 's comment. Fixes wording in README.

@etungsten
Copy link
Contributor Author

Updated testing description to show that when server-tls-bootstrap is set to false, kubelet does not request any CSR.

@etungsten etungsten requested a review from zmrow April 15, 2021 16:44
@etungsten etungsten force-pushed the configurable-tls-bootstrap branch from 72a36cb to ea0f099 Compare April 15, 2021 16:44
@etungsten
Copy link
Contributor Author

Push above fixes a typo.

zmrow
zmrow approved these changes Apr 15, 2021
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🦖

@etungsten
k8s: add setting for configuring serverTLSBootstrap
fb80369 
Adds a new setting `kubernetes.server-tls-bootstrap` for configuring
whether to enable server certificate bootstrap for the kubelet.
@etungsten
migrations: add migration for adding kubernetes.server-tls-bootstrap
f44185b 
Adds a migration for the new `kubernetes.server-tls-bootstrap` setting.
@etungsten etungsten force-pushed the configurable-tls-bootstrap branch from ea0f099 to f44185b Compare April 15, 2021 18:00
@etungsten
Copy link
Contributor Author

Push above rebases onto develop and fixes conflicts.

@etungsten etungsten merged commit 04acb06 into bottlerocket-os:develop Apr 15, 2021
@etungsten etungsten deleted the configurable-tls-bootstrap branch April 15, 2021 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern approved these changes

@zmrow zmrow zmrow approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

add setting for kubelet server TLS bootstrap
4 participants
@etungsten @bcressey @zmrow @webern