Enable the certificates.k8s.io API to issue cluster certificates
* System components that require certificates signed by the cluster CA can submit a CSR to the apiserver, have an administrator inspect and approve it, and be issued a certificate * Configure kube-controller-manager to sign Approved CSR's using the cluster CA private key * Admins are responsible for approving or denying CSRs, otherwise, no certificate is issued. Read the Kubernetes docs carefully and verify the entity making the request and the authorization level * https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
This commit is contained in:
parent
60c70797ec
commit
bfe0c74793
|
@ -7,6 +7,8 @@ Notable changes between versions.
|
|||
* Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` ([#370](https://github.com/poseidon/typhoon/pull/370))
|
||||
* Use a lower-privilege TLS client certificate with org `system:nodes` for Kubelets ([#372](https://github.com/poseidon/typhoon/pull/372))
|
||||
* Bind the `system:nodes` group to the `system:node` ClusterRole
|
||||
* Allow the `certificates.k8s.io` API to issue certificates signed by the cluster CA ([#376](https://github.com/poseidon/typhoon/pull/376))
|
||||
* Configure controller manager to sign CSRs that are manually [approved](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster) by an administrator
|
||||
* Update CoreDNS from v1.2.6 to [v1.3.0](https://coredns.io/2018/12/15/coredns-1.3.0-release/)
|
||||
|
||||
#### AWS
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${var.k8s_domain_name}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${var.k8s_domain_name}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||
module "bootkube" {
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
|
||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
|
||||
|
||||
cluster_name = "${var.cluster_name}"
|
||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||
|
|
Loading…
Reference in New Issue