Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1793

Limit kubelet CSRs to use node FQDN

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Normal
    • None
    • None
    • Auth
    • False
    • False
    • 0
    • 0% 0%
    • Undefined

    Description

      1. Proposed title of this feature request:

      Limit kubelet CSRs to use host FQDN

      2. What is the nature and description of the request?

      Add a configuration option to the kubelet to limit the SAN in CSRs to use the node's FQDN, rather than the default behaviour of automatically detecting IP addresses in use by the node.

      3. Why does the customer need this? (List the business requirements here)

      On vSphere, when egress IPs are added to nodes, CSRs for nodes are not automatically approved as this results in the kubelet adding new IP information. In this case, certificates must be manually approved. See: https://bugzilla.redhat.com/show_bug.cgi?id=1860774

      Egress IPs were new in 4.6 (https://docs.openshift.com/container-platform/4.6/networking/ovn_kubernetes_network_provider/configuring-egress) and the kubelet does not currently have a way of filtering out these IPs in CSRs.

      4. List any affected packages or components.

      Kubelet, possibly client-go

      Attachments

        Activity

          People

            atelang@redhat.com Anjali Telang
            ehashman@redhat.com Elana Hashman (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: