Scope:

• Master node only
• Take into account cluster upgrade scenario
• Downgrade?

Acceptance Criteria:

• KEP reviewed and approved
• Automatic approval of CSR (no manual intervention)
• e2e test to verify it works

Dependencies:

• Cloud provider
• CSR from kubelet will be signed by kubelet, KCM has the signer for CSR, question is what if the KCM signer expires (KEP should answer this question) https://issues.redhat.com/browse/API-1620 

To Investigate:

• It seems there is no secure way to validate the identity of the worker nodes when recovery to automatically accept the CSR. As part of this work explore the option of using the ACME protocol (RFC 8555) an alternate way to receive and approve workers CSR.
• ACME (RFC 8555) protocol has client and libraries in Go (libraries)] and open source servers like [Boulder|https://github.com/letsencrypt/boulder] in Go