neolit123
commented
2 years ago Hi. Sorry but key size, cert expiration and other options were discussed in the past and were established as options we don't want to expose.
Unless i am missing something 2048 is still a size that fits the 1 year brute force preventing recommendation. https://www.fastly.com/blog/key-size-for-tls
2048-bit RSA key length fulfills the NIST recommendation until late in this decade.
If you want custom certs and keys you can use kubeadm certs generate-csr.
geneliu
Is this a BUG REPORT or FEATURE REQUEST?
FEATURE REQUEST
Versions
kubeadm version (use
kubeadm version): v1.23.7 kubeadm version: &version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.7", GitCommit:"42c05a547468804b2053ecf60a3bd15560362fc2", GitTreeState:"clean", BuildDate:"2022-05-24T12:29:44Z", GoVersion:"go1.17.10", Compiler:"gc", Platform:"linux/amd64"}Environment:
kubectl version): v1.23.7uname -a): 4.18.0-372.9.1.el8.x86_64What happened?
kubeadm init phase certs generates the self-signed key has 2048 bit key size. It failed the kubeapi health checking with connection failure: [SSL: EE_KEY_TOO_SMALL] ee key too small
kubeadm init phase certs apiserver-kubelet-client --config /etc/kubernetes/kubeadm-config.yamlWhat you expected to happen?
A way to specify self-signed key size for kubeadm init ...
How to reproduce it (as minimally and precisely as possible)?
Anytime to generate certs via kubeadm init phase certs
Anything else we need to know?
It's blocking use kubeadm to setup a cluster on any system with crypto hardening (e.g., RHEL8 crypto-policies "FUTURE")