I'm assuming this encompasses initial bootstrapping of the serving cert too?

Yes, initial bootstrapping of the server cert will be covered by this. Would you like a separate one, or just checking that feature wasn't lost in the shuffle?

Just checking, thanks.

@jcbsmpsn please, provide us with the design proposal link

Design proposal: https://github.com/kubernetes/community/pull/602

@jcbsmpsn updated the feature description with the link, thanks.

Going to merge this into https://github.com/kubernetes/features/issues/266

Actually, I wouldn't. There's more work to do here with determining which SANs a node is allowed to serve.

@jcbsmpsn
What is the link for the documentation update for certificate rotation? Is there no docs that need update?

@apsinha Some documentation for this is included in https://github.com/kubernetes/kubernetes.github.io/pull/4208

@jcbsmpsn Can you please update this feature's status for v1.8?
Is beta targeted or will this be still in alpha?

@jcbsmpsn @kubernetes/sig-auth-feature-requests can you confirm that this feature targets 1.8?

If yes, please, update the features tracking spreadsheet with the feature data, otherwise, let's remove this item from 1.8 milestone.

Thanks

Bumping this to the 1.9 milestone since there wasn't much work done on it during 1.8.

Currently the kubelet provides the CN and the SANs that go into the certificate. Without some mechanism for the signing server to validate that information, it is possible for the kubelet to request a certificate for a domain it shouldn't and get the certificate (which would be a server certificate) blessed by the cluster CA.

This feature should remain alpha until there is an answer this problem.

@mikedanese

@jcbsmpsn Is this on track shipping to beta in v1.9? Have we found a solution to the problem?

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@jcbsmpsn @kubernetes/sig-auth-feature-requests
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

• Description
• Milestone
• Assignee(s)
• Labels:
  
  
  
  • stage/{alpha,beta,stable}
  
  
  • sig/*
  
  
  • kind/feature
  
  

cc @idvoretskyi

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

/lifecycle frozen

On Thu, May 17, 2018 at 9:49 AM, fejta-bot notifications@github.com wrote:

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta
https://github.com/fejta.
/lifecycle rotten
/remove-lifecycle stale

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/features/issues/267#issuecomment-389872685,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p5n2O-kS7WrbGJ3CODpQArYyO9Zcks5tzX_fgaJpZM4NG1CP
.

@mikedanese I updated this to beta for 1.12, just for the rotation/kubelet bits, since the approval piece was moved out of scope

Thanks for the update! This has been added to the 1.12 Tracking sheet.

Hey there! @jcbsmpsn I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

Beta docs PR here:

https://github.com/kubernetes/website/pull/10232

@Marcel-Lambacher:

Hi folks,
Kubernetes 1.13 is going to be a 'stable' release since the cycle is only 10 weeks. We encourage no big alpha features and only consider adding this feature if you have a high level of confidence it will make code slush by 11/09. Are there plans for this enhancement to graduate to beta/stable within the 1.13 release cycle? If not, can you please remove it from the 1.12 milestone or add it to 1.13?

We are also now encouraging that every new enhancement aligns with a KEP. If a KEP has been created, please link to it in the original post. Please take the opportunity to develop a KEP.

@liggitt @mikedanese @jcbsmpsn and plans to graduate for 1.13?

@kubernetes/sig-auth-feature-requests any plans to graduate this for v1.14?

@jcbsmpsn Hello - I’m the enhancement’s lead for 1.14 and I’m checking in on this issue to see what work (if any) is being planned for the 1.14 release. Enhancements freeze is Jan 29th and I want to remind that all enhancements must have a KEP

Is there a list of work items we can look at ? I would love to help on this work items

Hello @jcbsmpsn, I'm the Enhancement Lead for 1.15. Is this feature going to be graduating alpha/beta/stable stages in 1.15? Please let me know so it can be tracked properly and added to the spreadsheet. This will also require an official KEP to be included. Please work on that first.

Once coding begins, please list all relevant k/k PRs in this issue so they can be tracked properly.

Hi @jcbsmpsn , I'm the 1.16 Enhancement Lead/Shadow. Is this feature going to be graduating alpha/beta/stable stages in 1.16? Please let me know so it can be added to the 1.16 Tracking Spreadsheet. If not's graduating, I will remove it from the milestone and change the tracked label.

Once coding begins or if it already has, please list all relevant k/k PRs in this issue so they can be tracked properly.

As a reminder, every enhancement requires a KEP in an implementable state with Graduation Criteria explaining each alpha/beta/stable stages requirements.

Milestone dates are Enhancement Freeze 7/30 and Code Freeze 8/29.

Thank you.

Hello @jcbsmpsn , 1.17 Enhancement Shadow here! 🙂

I wanted to reach out to see *if this enhancement will be graduating to alpha/beta/stable in 1.17?

*
Please let me know so that this enhancement can be added to 1.17 tracking sheet.

Thank you!

🔔Friendly Reminder

• The current release schedule is
  
  
  
  • Monday, September 23 - Release Cycle Begins
  
  
  • Tuesday, October 15, EOD PST - Enhancements Freeze
  
  
  • Thursday, November 14, EOD PST - Code Freeze
  
  
  • Tuesday, November 19 - Docs must be completed and reviewed
  
  
  • Monday, December 9 - Kubernetes 1.17.0 Released
  
  

• A Kubernetes Enhancement Proposal (KEP) must meet the following criteria before Enhancement Freeze to be accepted into the release

  • PR is merged in
  • In an implementable state
  • Include test plan and graduation criteria

• All relevant k/k PRs should be listed in this issue

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

@mikedanese is this something that you expect any progress on in the 1.18 cycle? I am enhancements shadow for the release team and so we need to know if it should be tracked.

(from @mikedanese): Blocked on Certificates API going GA

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

/assign
/milestone v1.19

The CSR API is targeting v1 in 1.19

Hi @liggitt @jcbsmpsn !

1.19 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

The KEP PR must be merged in an implementable state
The KEP must have test plans
The KEP must have graduation criteria.

The current release schedule is:

Monday, April 13: Week 1 - Release cycle begins
Tuesday, May 19: Week 6 - Enhancements Freeze
Thursday, June 25: Week 11 - Code Freeze
Thursday, July 9: Week 14 - Docs must be completed and reviewed
Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

Please let me know and I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

Gentle reminder: Enhancements Freeze is Tuesday, May 19th (EOD PST). To be included in the release, this enhancement must have a merged KEP in the implementable status. The KEP must also have graduation criteria and a Test Plan defined. Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly.

As an additional note, #1620 merged recently, adding production readiness review questions to the KEP template. We are not making it mandatory for the 1.19 release cycle, but it would be great if the PRR questionnaire is filled since the KEP PR is in flight.

If you have any questions please let me know.

Thanks!

As a reminder, enhancements freeze is tomorrow May 19th EOD PST. In order to be included in 1.19 all KEPS must be implementable with graduation criteria and a test plan.

Thanks.

The focus in 1.19 is the CSR API (https://github.com/kubernetes/enhancements/issues/1513) and the client certificate rotation (https://github.com/kubernetes/enhancements/issues/266). This will get attention in 1.20.

/milestone v1.20

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

Hi @liggitt !

Enhancements Lead here, is there any planned work for this in 1.20?

Thanks!
Kirsten

not for 1.20

thanks again for all of your responses @liggitt !!

/milestone clear