kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CSR API to GA

pull/21108/head
Jordan Liggitt 2020-06-01 17:39:53 -04:00
parent bc2ed912d9
commit 78d4a10243
2 changed files with 58 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
View File

@ -10,7 +10,7 @@ weight: 20
<!-- overview --> <!-- overview -->
{{< feature-state for_k8s_version="v1.18" state="beta" >}} {{< feature-state for_k8s_version="v1.19" state="stable" >}}
The Certificates API enables automation of The Certificates API enables automation of
[X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning by providing [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning by providing
@ -107,7 +107,8 @@ Kubernetes provides built-in signers that each have a well-known `signerName`:
1. CA bit allowed/disallowed - not allowed. 1. CA bit allowed/disallowed - not allowed.
1. `kubernetes.io/legacy-unknown`: has no guarantees for trust at all. Some distributions may honor these as client 1. `kubernetes.io/legacy-unknown`: has no guarantees for trust at all. Some distributions may honor these as client
certs, but that behavior is non-standard Kubernetes behavior. certs, but that behavior is not standard Kubernetes behavior.
This signerName can only be requested in CertificateSigningRequests created via the `certificates.k8s.io/v1beta1` API version.
Never auto-approved by {{< glossary_tooltip term_id="kube-controller-manager" >}}. Never auto-approved by {{< glossary_tooltip term_id="kube-controller-manager" >}}.
1. Trust distribution: None. There is no standard trust or distribution for this signer in a Kubernetes cluster. 1. Trust distribution: None. There is no standard trust or distribution for this signer in a Kubernetes cluster.
1. Permitted subjects - any 1. Permitted subjects - any
@ -361,12 +362,13 @@ status condition based on the state you determine:
For `Approved` CSRs: For `Approved` CSRs:
```yaml ```yaml
apiVersion: certificates.k8s.io/v1beta1 apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest kind: CertificateSigningRequest
... ...
status: status:
conditions: conditions:
- lastUpdateTime: "2020-02-08T11:37:35Z" - lastUpdateTime: "2020-02-08T11:37:35Z"
lastTransitionTime: "2020-02-08T11:37:35Z"
message: Approved by my custom approver controller message: Approved by my custom approver controller
reason: ApprovedByMyPolicy # You can set this to any string reason: ApprovedByMyPolicy # You can set this to any string
type: Approved type: Approved
@ -375,12 +377,13 @@ status:
For `Denied` CSRs: For `Denied` CSRs:
```yaml ```yaml
apiVersion: certificates.k8s.io/v1beta1 apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest kind: CertificateSigningRequest
... ...
status: status:
conditions: conditions:
- lastUpdateTime: "2020-02-08T11:37:35Z" - lastUpdateTime: "2020-02-08T11:37:35Z"
lastTransitionTime: "2020-02-08T11:37:35Z"
message: Denied by my custom approver controller message: Denied by my custom approver controller
reason: DeniedByMyPolicy # You can set this to any string reason: DeniedByMyPolicy # You can set this to any string
type: Denied type: Denied
@ -409,7 +412,51 @@ Users of the REST API can sign CSRs by submitting an UPDATE request to the `stat
subresource of the CSR to be signed. subresource of the CSR to be signed.
As part of this request, the `status.certificate` field should be set to contain the As part of this request, the `status.certificate` field should be set to contain the
signed certificate. signed certificate. This field contains one or more PEM-encoded certificates.
All PEM blocks must have the "CERTIFICATE" label, contain no headers,
and the encoded data must be a BER-encoded ASN.1 Certificate structure
as described in [section 4 of RFC5280](https://tools.ietf.org/html/rfc5280#section-4.1).
Example certificate content:
```
-----BEGIN CERTIFICATE-----
MIIDgjCCAmqgAwIBAgIUC1N1EJ4Qnsd322BhDPRwmg3b/oAwDQYJKoZIhvcNAQEL
BQAwXDELMAkGA1UEBhMCeHgxCjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNV
BAoMAXgxCjAIBgNVBAsMAXgxCzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4
MB4XDTIwMDcwNjIyMDcwMFoXDTI1MDcwNTIyMDcwMFowNzEVMBMGA1UEChMMc3lz
dGVtOm5vZGVzMR4wHAYDVQQDExVzeXN0ZW06bm9kZToxMjcuMC4wLjEwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDne5X2eQ1JcLZkKvhzCR4Hxl9+ZmU3
+e1zfOywLdoQxrPi+o4hVsUH3q0y52BMa7u1yehHDRSaq9u62cmi5ekgXhXHzGmm
kmW5n0itRECv3SFsSm2DSghRKf0mm6iTYHWDHzUXKdm9lPPWoSOxoR5oqOsm3JEh
Q7Et13wrvTJqBMJo1GTwQuF+HYOku0NF/DLqbZIcpI08yQKyrBgYz2uO51/oNp8a
sTCsV4OUfyHhx2BBLUo4g4SptHFySTBwlpRWBnSjZPOhmN74JcpTLB4J5f4iEeA7
2QytZfADckG4wVkhH3C2EJUmRtFIBVirwDn39GXkSGlnvnMgF3uLZ6zNAgMBAAGj
YTBfMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBTREl2hW54lkQBDeVCcd2f2VSlB1DALBgNVHREEBDAC
ggAwDQYJKoZIhvcNAQELBQADggEBABpZjuIKTq8pCaX8dMEGPWtAykgLsTcD2jYr
L0/TCrqmuaaliUa42jQTt2OVsVP/L8ofFunj/KjpQU0bvKJPLMRKtmxbhXuQCQi1
qCRkp8o93mHvEz3mTUN+D1cfQ2fpsBENLnpS0F4G/JyY2Vrh19/X8+mImMEK5eOy
o0BMby7byUj98WmcUvNCiXbC6F45QTmkwEhMqWns0JZQY+/XeDhEcg+lJvz9Eyo2
aGgPsye1o3DpyXnyfJWAWMhOz7cikS5X2adesbgI86PhEHBXPIJ1v13ZdfCExmdd
M1fLPhLyR54fGaY+7/X8P9AZzPefAkwizeXwe9ii6/a08vWoiE4=
-----END CERTIFICATE-----
```
Non-PEM content may appear before or after the CERTIFICATE PEM blocks and is unvalidated,
to allow for explanatory text as described in section 5.2 of RFC7468.
When encoded in JSON or YAML, this field is base-64 encoded.
A CertificateSigningRequest containing the example certificate above would look like this:
```yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
...
status:
certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JS..."
```

11
content/en/docs/tasks/tls/managing-tls-in-a-cluster.md
View File

@ -109,12 +109,13 @@ command:
```shell ```shell
cat <<EOF | kubectl apply -f - cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1 apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest kind: CertificateSigningRequest
metadata: metadata:
name: my-svc.my-namespace name: my-svc.my-namespace
spec: spec:
request: $(cat server.csr | base64 | tr -d '\n') request: $(cat server.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kubelet-serving
usages: usages:
- digital signature - digital signature
- key encipherment - key encipherment
@ -125,10 +126,10 @@ EOF
Notice that the `server.csr` file created in step 1 is base64 encoded Notice that the `server.csr` file created in step 1 is base64 encoded
and stashed in the `.spec.request` field. We are also requesting a and stashed in the `.spec.request` field. We are also requesting a
certificate with the "digital signature", "key encipherment", and "server certificate with the "digital signature", "key encipherment", and "server
auth" key usages. We support all key usages and extended key usages listed auth" key usages, signed by the `kubernetes.io/kubelet-serving` signer.
[here](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage) A specific `signerName` must be requested.
so you can request client certificates and other certificates using this View documentation for [supported signer names](/docs/reference/access-authn-authz/certificate-signing-requests/#signers)
same API. for more information.
The CSR should now be visible from the API in a Pending state. You can see The CSR should now be visible from the API in a Pending state. You can see
it by running: it by running: