-
Bug
-
Resolution: Done
-
Major
-
4.13
-
None
-
No
-
uShift Sprint 233
-
1
-
Rejected
-
False
-
-
The certificate authorities used to generate kubeconfig files for MicroShift's embedded components are reconfigured to ensure the kubeconfigs are independent.
-
Bug Fix
Description of problem:
All kubeconfigs are using a CA bundle including all 3 different signers: service network, localhost and external. This makes kubeconfigs interchangeable and capable of validating for other networks than the ones they are intended to be used. Each kubeconfig shall use the signer for the network it belongs to.
Version-Release number of selected component (if applicable):
4.13
How reproducible:
Install MicroShift, then check the CAs for all generated kubeconfigs under /var/lib/microshift/resources/kubeadmin
Steps to Reproduce:
1. 2. 3.
Actual results:
Same CA in all kubeconfigs
Expected results:
Specific network CA for each kubeconfig
Additional info:
- clones
-
OCPBUGS-8301 kubeconfig CA includes all signers
- Closed
- is blocked by
-
OCPBUGS-8301 kubeconfig CA includes all signers
- Closed
- links to