Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA expiry should be far longer than ten years #1783

Closed
NeilW opened this issue Sep 9, 2019 · 5 comments
Closed

CA expiry should be far longer than ten years #1783

NeilW opened this issue Sep 9, 2019 · 5 comments
Labels
area/security priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@NeilW
Copy link

NeilW commented Sep 9, 2019

FEATURE REQUEST

The current expiry date on a self-certified CA created by kubeadm in 10 years. Having spent the last few weeks migrating and propping up 10 year old Rails systems, I suspect k8s systems created now will be around in 10 years time.

If the CA expires, the system comes to a hard stop and is very difficult to recover. There is no documentation about how to change over, and even the certificate rotation code has the direct warning: "we are not offering support for renewing CAs; this would cause serious consequences"

https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/phases/certs/renewal/manager.go#L83

The self-signed certificate code seems to have 10 years hard coded in it, with no comment as to why.
https://github.com/kubernetes/kubernetes/blob/35cf6b6cbc7c55258ac0e3af51f6b0f5119750b1/staging/src/k8s.io/client-go/util/cert/cert.go#L57

If we're going to kick this into the long grass, then we should kick it further - with 100 or 1000 year CA expiry on self-signed certs. I see no good reason why they should expire, and a whole load of stored up problems if they do.
@neolit123
Copy link
Member

i will bring this topic in the kubeadm meeting this week.
there have been also a number of requests to support CA rotation.

@neolit123 neolit123 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Sep 9, 2019
@neolit123 neolit123 added this to the v1.17 milestone Sep 9, 2019
@fabriziopandini
Copy link
Member

@NeilW this was discussed in last week office hours, and current agreement is to not extend certificate authority duration, but instead to work for making certificate rotation possible with kubeadm and as soon as certificate rotation will be available, reduce certificate authority duration

If you have comments please let me know so we can eventually reopen the issue

/close

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: Closing this issue.

In response to this:

@NeilW this was discussed in last week office hours, and current agreement is to not extend certificate authority duration, but instead to work for making certificate rotation possible with kubeadm and as soon as certificate rotation will be available, reduce certificate authority duration

If you have comments please let me know so we can eventually reopen the issue

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@NeilW
Copy link
Author

NeilW commented Sep 16, 2019

I'm happy either way. I've spent the last week getting the CA certificate rotation to work on our terraform deployment (which we do by maintaining the same private key and issuing a new certificate). Haven't done it for ETCD or the Front proxy though.

Do we have a ticket/request to track the CA certificate rotation project?

@fabriziopandini
Copy link
Member

@NeilW

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@NeilW @neolit123 @fabriziopandini @k8s-ci-robot