Bug 1964231
| Summary: | Client certificate used to contact kubelet is not loaded dynamically | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Maru Newby <mnewby> |
| Component: | kube-apiserver | Assignee: | Maru Newby <mnewby> |
| Status: | CLOSED ERRATA | QA Contact: | Rahul Gangwar <rgangwar> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.9 | CC: | aos-bugs, kewang, mfojtik, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:31:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |
The apiserver is currently configured to talk to the kubelet with a client cert written to a revisioned path (e.g. /etc/kubernetes/static-pod-resources/kube-apiserver-11/secrets/kubelet-client/tls.{crt,key}). This means that any change in the client cert requires a new revision and a restart of the apiserver. It should be possible for the client cert to instead be written to the cert path and have the apiserver dynamically reload the cert. This would eliminated the need for restarting the apiserver when the client cert changed.