-
Bug
-
Resolution: Done
-
Major
-
4.13, 4.12, 4.11, 4.14
-
None
-
No
-
3
-
OSDOCS Sprint 243, OSDOCS Sprint 244, OSDOCS Sprint 245, OSDOCS Sprint 246, OSDOCS Sprint 247, OSDOCS Sprint 248, OSDOCS Sprint 249, OSDOCS Sprint 250, OSDOCS Sprint 251
-
9
-
Rejected
-
False
-
-
N/A
-
Release Note Not Required
Description of problem:
Kubelet CA certificates are not described in the documentation under "Certificate types and descriptions" https://docs.openshift.com/container-platform/4.13/security/certificate_types_descriptions/user-provided-certificates-for-api-server.html
Version-Release number of selected component (if applicable):
4.11+
How reproducible:
Always
Additional info:
This bug has been opened in response to feedback from Fujitsu. As follows:
We recognize that there is no description the Kubelet CA cert in the document[*1]. So, we would like you to add the description of the Kubelet CA cert based on the information of KCS (https://access.redhat.com/articles/5651701) like other certificates.For example, we expect the following the description: ----- Management - These certificates are managed by the system and not the user. Expiration - Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 days and removes old CA certificate after 365 days. - The renewal of cert as well as removal of certs does not cause reboot of nodes Customization - Initiating the renewal ahead of time can only be performed by users that are members of the cluster-admin role via the following command $ oc annotate -n openshift-kube-apiserver-operator secret kube-apiserver-to-kubelet-signer auth.openshift.io/certificate-not-after-
