Allow extension API server to read requestheader-client-ca from extension-apiserver-authentication ConfigMap #65724
Assignees
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
Comments
|
/sig api-machinery /cc @DirectXMan12 |
|
@kubernetes/sig-api-machinery-feature-requests, since it looks like the at-mention didn't take |
|
/sig auth |
|
Thanks Jordan. This is something we are interested in contributing to and ask for being cherrypicked to patch releases of 1.10.x and 1.11.x. That conversation can wait once we have the PR out. |
|
Quick update: I'm working on sending a PR for this issue by this week |
rtripat
added a commit
to rtripat/kubernetes
that referenced
this issue
Jul 19, 2018
…support certificate auth This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support client based authentication for it's client i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. kubernetes#65724
rtripat
added a commit
to rtripat/kubernetes
that referenced
this issue
Aug 8, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes#65724
k8s-github-robot
pushed a commit
that referenced
this issue
Aug 8, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: #65724 **Which issue(s) this PR fixes** Fixes #65724 **Special notes for your reviewer**: **Release note**: ```release-note Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients ```
k8s-publishing-bot
pushed a commit
to kubernetes/apiserver
that referenced
this issue
Aug 8, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 Kubernetes-commit: db828a44406efe09e2db91e6dc88d1292c9a29e1
k8s-publishing-bot
added a commit
to kubernetes/apiserver
that referenced
this issue
Aug 8, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 **Which issue(s) this PR fixes** Fixes #65724 **Special notes for your reviewer**: **Release note**: ```release-note Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients ``` Kubernetes-commit: 446eef54c58cf743395220b2e6728cef036e1c23
sttts
pushed a commit
to sttts/apiserver
that referenced
this issue
Aug 9, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 Kubernetes-commit: db828a44406efe09e2db91e6dc88d1292c9a29e1
sttts
pushed a commit
to sttts/apiserver
that referenced
this issue
Aug 9, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 **Which issue(s) this PR fixes** Fixes #65724 **Special notes for your reviewer**: **Release note**: ```release-note Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients ``` Kubernetes-commit: 446eef54c58cf743395220b2e6728cef036e1c23
|
@liggitt - Now that this is merged, can we open up the possibility of cherry picking to 1.10.x and 1.11.X please? |
liggitt
pushed a commit
to liggitt/kubernetes
that referenced
this issue
Aug 10, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes#65724
liggitt
pushed a commit
to liggitt/kubernetes
that referenced
this issue
Aug 10, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes#65724
liggitt
pushed a commit
to liggitt/kubernetes
that referenced
this issue
Aug 10, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes#65724
k8s-publishing-bot
pushed a commit
to kubernetes/apiserver
that referenced
this issue
Aug 16, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 Kubernetes-commit: faa8fde5235d5c48281e12b0236fe18ca11e54df
k8s-publishing-bot
pushed a commit
to kubernetes/apiserver
that referenced
this issue
Aug 16, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 Kubernetes-commit: 07e42782224913c248b6e8852b682cb21989d1ce
k8s-publishing-bot
pushed a commit
to kubernetes/apiserver
that referenced
this issue
Aug 16, 2018
…ion ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes/kubernetes#65724 Kubernetes-commit: 50448eb7ef9ca086abd54a9143bd3e60249af281
rtripat
added a commit
to rtripat/metrics-server
that referenced
this issue
Aug 23, 2018
Updating apiserver dependency to pull from release-1.11 to bring in a fix for running metrics server in clusters with client authentication mechanisms other cert based. See kubernetes/kubernetes#65724 for more details.
rtripat
added a commit
to rtripat/metrics-server
that referenced
this issue
Aug 23, 2018
Updating apiserver dependency to pull from release-1.11 to bring in a fix for running metrics server in clusters with client authentication mechanisms other cert based. See kubernetes/kubernetes#65724 for more details.
killwing
pushed a commit
to qiniu-ava/kubernetes
that referenced
this issue
Oct 25, 2018
* update cadvisor godeps to v0.28.4 to fix container start times * add IsLikelyNotMountPoint test on Windows fix comments fix comments on unit test fix comments * remove format operation in WaitForAttach * Add/Update CHANGELOG-1.9.md for v1.9.9. * add external resource group support for azure disk fix naming issue fix comments * fix comments * skip nic that are in failing state * azure: Move configuration of resource group in storage class. * fix azure disk issue for external resource group fix build error * azure: Add validation of resourceGroup option * fix acr sp access issue * Detect if GCE PD udev link is wrong and try to correct it * Added test for scheduler informers * Fix scheduler Pod informers to receive events when pods are scheduled by other schedulers. * Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: kubernetes#65724 * Rework multi-volume test to use StatefulSet * attachdetach controller: attach volumes immediately when Pod's PVCs are bound - Use queue to process PVCs on add/update events - Index pods by PVC key then we don't need to iterate to find pods * attachdetach controller: attach volumes immediately when Pod's PVCs are bound - Add integration test for this feature * allow failed discovery on initial quota controller start * a smaller fix for the apiserver panic * apiserver: forward panic in WithTimeout filter * fix log
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
What happened:
When I start the core API server with
requestheader-client-ca-file, it populates theextension-apiserver-authenticationConfigMap inkube-systemnamespace with the requestheader CA. This allows the extension API server to dynamically discover the CA and use it for validating the client certificate of aggregator layer. See here for documentationHowever, if the core API server doesn't use certificate based authentication for it's clients i.e.
client-ca-fileflag isn't set in core API server then the extension API server fails to start with error messageI believe this is coming from bootstrap code in extension API server here.
What you expected to happen:
Extension API server should be able to start and not require that both
client-caandrequestheader-cabe present in theextension-apiserver-authenticationConfigMap. This allows Kubernetes clusters which don't use certificate based authentication for core API server to be able to dynamically discover the requestheader-ca instead of having to mount it as a secret.How to reproduce it (as minimally and precisely as possible):
kubeadm alpha phase certs front-proxy-caandkubeadm alpha phase certs front-proxy-client.Anything else we need to know?:
It's possible there is a reason which is not evident to me as to why extension API server would require both client-ca-file and requestheader-client-ca-file to be present in the ConfigMap.
Environment:
kubectl version): 1.10.3The text was updated successfully, but these errors were encountered: