Add documentation for certificate rotation. #5639
Prev
Previous commit
Add documentation for certificate rotation.
- Loading branch information
commit 09b250e6393f25a521ae536033b1e390c3afccc8
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| approvers: | ||
| - jcbsmpsn | ||
| - mikedanese | ||
| title: Certificate Rotation | ||
| --- | ||
|
|
||
| {% capture overview %} | ||
| This page shows how to enable and configure certificate rotation for the kubelet. | ||
| {% endcapture %} | ||
|
|
||
| {% capture prerequisites %} | ||
|
|
||
| * Kubernetes version 1.8.0 or later is required | ||
|
|
||
| * Kubelet certificate rotation is beta in 1.8.0 which means it may change without notice. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture steps %} | ||
|
|
||
| ## Overview | ||
|
|
||
| The kubelet uses certificates for authenticating to the Kubernetes API. By | ||
| default, these certificates are issued with one year expiration so that they do | ||
| not need to be renewed too frequently. | ||
|
|
||
| Kubernetes 1.8 contains [kubelet certificate | ||
| rotation](/docs/tasks/administer-cluster/certificate-rotation/), a beta feature | ||
| that will automatically generate a new key and request a new certificate from | ||
| the Kubernetes API as the current certificate approaches expiration. Once the | ||
| new certificate is available, it will be used for authenticating connections to | ||
| the Kubernetes API. | ||
|
|
||
| ## Enabling client certificate rotation | ||
|
|
||
| The `kubelet` process accepts an argument `--rotate-certificates` that controls | ||
| if the kubelet will automatically request a new certificate as the expiration of | ||
| the certificate currently in use approaches. Since certificate rotation is a | ||
| beta feature, the feature flag must also be enabled with | ||
| `--feature-gates=RotateKubeletClientCertificate=true`. | ||
|
|
||
|
|
||
| The `kube-controller-manager` process accepts an argument | ||
| `--experimental-cluster-signing-duration` that controls how long certificates | ||
| will be issued for. | ||
|
|
||
| ## Understanding the certificate rotation configuration | ||
|
|
||
| When a kubelet starts up, if it is configured to bootstrap (using the | ||
| `--bootstrap-kubeconfig` flag), it will use its initial certificate to connect | ||
| to the Kubernetes API and issue a certificate signing request. You can view the | ||
|
There was a problem hiding this comment. punctuation: When a kubelet starts up, if it is configured to bootstrap (using the `--bootstrap-kubeconfig` flag) |
||
| status of certificate signing requests using: | ||
|
|
||
| ```sh | ||
| kubectl get csr | ||
| ``` | ||
|
|
||
| Initially a certificate signing request from the kubelet on a node will have a | ||
| status of `Pending`. If the certificate signing requests meets specific | ||
| criteria, it will be auto approved by the controller manager, then it will have | ||
| a status of `Approved`. Next, the controller manager will sign a certificate, | ||
| issued for the duration specified by the | ||
| `--experimental-cluster-signing-duration` parameter, and the signed certificate | ||
| will be attached to the certificate signing requests. | ||
|
|
||
| The kubelet will retrieve the signed certificate from the Kubernetes API and | ||
| write that to disk, in the location specified by `--cert-dir`. Then the kubelet | ||
| will use the new certificate to connect to the Kubernetes API. | ||
|
|
||
| As the expiration of the signed certificate approaches, the kubelet will | ||
| automatically issue a new certificate signing request, using the Kubernetes | ||
| API. Again, the controller manager will automatically approve the certificate | ||
| request and attach a signed certificate to the certificate signing request. The | ||
| kubelet will retrieve the new signed certificate from the Kubernetes API and | ||
| write that to disk. Then it will update the connections it has to the | ||
| Kubernetes API to reconnect using the new certificate. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% include templates/task.md %} | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we supposed to mention that this feature was available as Alpha in v1.7?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a stability problem with certificate approval in 1.7, and the
--rotate-certificatesoption was introduced in 1.8. I would prefer to just document 1.8.