1. Proposed title of this feature request:

Limit kubelet CSRs to use host FQDN

2. What is the nature and description of the request?

Add a configuration option to the kubelet to limit the SAN in CSRs to use the node's FQDN, rather than the default behaviour of automatically detecting IP addresses in use by the node.

3. Why does the customer need this? (List the business requirements here)

On vSphere, when egress IPs are added to nodes, CSRs for nodes are not automatically approved as this results in the kubelet adding new IP information. In this case, certificates must be manually approved. See: https://bugzilla.redhat.com/show_bug.cgi?id=1860774

Egress IPs were new in 4.6 (https://docs.openshift.com/container-platform/4.6/networking/ovn_kubernetes_network_provider/configuring-egress) and the kubelet does not currently have a way of filtering out these IPs in CSRs.

4. List any affected packages or components.

Kubelet, possibly client-go