[KEP-267] Rotate Kubelet Server Certificate Retrospective KEP

[kannon92]

• One-line PR description: Open a retrospective KEP to document existing design and mark what work will be needed to eventually GA this feature.

• Issue link: Kubelet Server TLS Certificate Rotation #267

• Other comments: Taking over @SergeyKanzhelev KEP as I will be leading this effort.

[kannon92]

/hold

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kannon92
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-auth/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kannon92]

/hold cancel

[kannon92]

/cc @tallclair

[sftim]

Thanks

Here's some feedback. I think we need more detail, even if we already have shipped code.

[sftim]

Why “N/A”? Maybe:

Suggested change

	N/A
	_None identified_

[sftim]

(nit)

Suggested change

	the Certificate Signing Request API instead of generating one self signed
	the CertificateSigningRequest API instead of generating one self signed

[sftim]

Suggested change

	Cluster operators want TLS between their nodes and the control plane. However, managing the
	certificates at scale is problematic. Kubernetes provides APIs to define X.509 certificates, signing
	requests for those certificates, and even trust anchors.
	As a cluster operator, automating the rotation of kubelet X.509 certificates has the potential to replace
	significant toil with an easy and secure ongoing process.
	### Background
	Kubernetes v1.7 introduced kubelet server certificate rotation as alpha.

[sftim]

Suggested change

	This is retrospective KEP description for the feature `RotateKubeletServerCertificate`.
	The feature gate `RotateKubeletServerCertificate` allows to configure kubelet to
	get a server certificate for the kubelet from the Certificate Signing Request
	API instead of generating one self signed and auto rotates the certificate as
	expiration approaches.
	This KEP proposes a mechanism to allow the kubelet to request and then use a certificate
	using the Kubernetes CertificateSigningRequest (CSR) API. A kubelet that can authenticate to the
	cluster's control plane can use that mechanism to support automatic certificate rotation
	before the existing certificate expires. Certificates are only issued to nodes if their CSR is
	explicitly approved.

I'd add a Background heading later in the KEP that explains why it's retrospective.

[sftim]

Suggested change

	- built-in support for approving CSRs nodes request (not currently done because
	- built-in support for approving CSRs that nodes have requested (omitted because

[sftim]

This section needs answering.

[sftim]

Suggested change

	No
	Yes, CertificateSigningRequests.

[sftim]

Do we need any more detail here?

[sftim]

Is this right?

Suggested change

	- "server_expiration_renew_errors"
	- "certificate_manager_server_rotation_seconds"
	- "certificate_manager_server_ttl_seconds"
	- `server_expiration_renew_errors` (counter)
	- `certificate_manager_server_rotation_seconds` (histogram)
	- `certificate_manager_server_ttl_seconds` (histogram)

[tallclair]

nit: can you add the help text (metric descriptions) here?

[sftim]

Suggested change

	Discussing this feature in sig-auth it was suggested that integration tests should be sufficient
	NA
	We won't do any end to end tests; this is because SIG Auth feel that integration tests provide sufficient
	coverage.

?

I think an optional end to end test would be nice to have, even so.

[tallclair]

The documentation also states that the command line flag is deprecated, but we don't actually mark it as deprecated in the code. I don't think it is deprecated?

[tallclair]

Is there any path to enabling this by default? It wouldn't make sense for standalone kubelets, but could we enable it by default for Kubelets with a kubeconfig?

[tallclair]

Suggested change

	When the feature gate `RotateKubeletServerCertificate` is true, then `ServerTLSBootstrap` is also required to be true.
	To enable this feature, both the feature gate `RotateKubeletServerCertificate` and configuration option `ServerTLSBootstrap` must be enabled.

[tallclair]

Maybe just link to the implementation, rather than inlining it here?

[tallclair]

Why not Stable? This line seems to conflict with the previous.

[kannon92]

This is mostly because they were alpha so I would think they should go alpha -> beta -> ga?

[tallclair]

nit: can you add the help text (metric descriptions) here?

[tallclair]

As long as the apiserver is configured to validate Kubelet serving certificates, and this feature is enabled, then it's functionality will be covered by a number existing E2E tests (anything that touches the kubelet serving path, e.g. exec/attach/portforward/logs).

Can you confirm whether any E2E test suites match this configuration?

[tallclair]

nit: don't make this a check box. It sounds like this is rationalizing the fact that conformance tests aren't part of the GA criteria?

[kannon92]

This is the template for PRR.

[tallclair]

Doesn't this depend on a CSR approver?

[kannon92]

What usually approves CSRs? I'm not very well versed in this area so I'm interested to learn more.

[tallclair]

I assume it will keep using the old cert until expiration? And I also assume kubelet would continue to function, but it's serving cert would be invalid? API server can be configured to ignore kubelet serving cert verification.

[kannon92]

Sorry I didn't address these comments. I realize that I don't have the domain knowledge to really answer these questions.

I brought this up to sig-node hoping that someone else could spearhead this feature. Our hope was to get this KEP out of the permanent beta state but the requirement is that we need to document the design of this feature.

I will be on leave for 1.31 so this won't make much progress unless someone else takes it.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[kannon92]

/close

[k8s-ci-robot]

@kannon92: Closed this PR.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kannon92]

@aojea is taking this over. Closing my attempt.