Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10223

kubeconfig CA includes all signers

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 4.13.0, 4.14.0
    • 4.13
    • MicroShift
    • None
    • No
    • uShift Sprint 233
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • The certificate authorities used to generate kubeconfig files for MicroShift's embedded components are reconfigured to ensure the kubeconfigs are independent.
    • Bug Fix

      Description of problem:

      All kubeconfigs are using a CA bundle including all 3 different signers: service network, localhost and external. This makes kubeconfigs interchangeable and capable of validating for other networks than the ones they are intended to be used.
      Each kubeconfig shall use the signer for the network it belongs to.

      Version-Release number of selected component (if applicable):

      4.13

      How reproducible:

      Install MicroShift, then check the CAs for all generated kubeconfigs under /var/lib/microshift/resources/kubeadmin

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      Same CA in all kubeconfigs

      Expected results:

      Specific network CA for each kubeconfig

      Additional info:

       

              pacevedo@redhat.com Pablo Acevedo Montserrat
              pacevedo@redhat.com Pablo Acevedo Montserrat
              John George John George
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: