Bug 1964231 - Client certificate used to contact kubelet is not loaded dynamically
Summary: Client certificate used to contact kubelet is not loaded dynamically
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.9.0
Assignee: Maru Newby
QA Contact: Rahul Gangwar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-25 04:11 UTC by Maru Newby
Modified: 2021-10-18 17:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:31:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1151 0 None open Bug 1964231: Ensure kubelet client cert change does not require a restart 2021-06-17 17:42:55 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:32:03 UTC

Description Maru Newby 2021-05-25 04:11:18 UTC
The apiserver is currently configured to talk to the kubelet with a client cert written to a revisioned path (e.g. /etc/kubernetes/static-pod-resources/kube-apiserver-11/secrets/kubelet-client/tls.{crt,key}). This means that any change in the client cert requires a new revision and a restart of the apiserver.

It should be possible for the client cert to instead be written to the cert path and have the apiserver dynamically reload the cert. This would eliminated the need for restarting the apiserver when the client cert changed.

Comment 7 errata-xmlrpc 2021-10-18 17:31:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.