-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
8
-
False
-
False
-
OCPPLAN-7719 - Cluster API integration
-
Undefined
-
-
CLOUD Sprint 200, CLOUD Sprint 201, CLOUD Sprint 202, CLOUD Sprint 203, CLOUD Sprint 204, CLOUD Sprint 205, CLOUD Sprint 206, CLOUD Sprint 207, CLOUD Sprint 208, CLOUD Sprint 209, CLOUD Sprint 210, CLOUD Sprint 211
For HyperShift and for Cluster API experiments, we currently have no way to securely check CSRs created by Nodes as they start up. HyperShift currently auto approves all CSRs.
Before going into production, HyperShift will require our existing Cluster Machine Approver (or something equivalent) to approve certificates based on the existing security criteria we have within regular OpenShift clusters.
To enable CMA to support both MAPI and CAPI based clusters, we can take the approach used in the cluster autoscaler:
- Convert internal code to use either unstructured or an internal machine type (we are read only on machines currently so could stick to an internal type unmarshalled from either API)
- Allow API group and version to be specified via CLI args (to be able to switch between MAPI/CAPI)
- Internally split Node/CSR clients from Machine clients
- By default, use in cluster creds for both clients
- Allow kubeconfig override for Node/CSR/Machine clients via `--kubeconfig` flag
- Provide second kubeconfig override for Machine client via `--management-kubeconfig` flag
This should allow the CMA to continue working in existing clusters, but also allow usage in a pure CAPI cluster (by using the kubeconfig flag), or in split management/spoke clusters using both kubeconfig flags.
- blocks
-
HOSTEDCP-139 Enable Machine more secure auto approval
- Closed