search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
5.9k stars 471 forks source link

Kubelet certs #3817

Closed sergelogvinov closed 6 days ago

sergelogvinov commented 3 years ago

  1. We can create all configs for Kubelet on pre-run stage and store them in /system/secrets/kubelet (as control plane)

    • /etc/kubernetes/bootstrap-kubeconfig -> /system/secrets/kubelet/bootstrap-kubeconfig (bootstrap token)
    • /etc/kubernetes/kubelet -> /system/secrets/kubelet/kubeconfig (kubelet open it in RW mode)
    • /etc/kubernetes/kubelet.yaml -> /system/secrets/kubelet/kubelet.yaml And share only /etc/kubernetes/manifests folder to kubelet, /etc/kubernetes has sensitive data

  2. Store the Kubelet certs (client/server) in /system/state/kubelet folder In this case we need encrypt only STATE partition and keep open EPHEMERAL storage

  3. Create kubelet certs (client/server) on Controlplane We have CA certs and we can do it. It helps to speed up bootstrap nodes even kubelet has flag rotate-server-certificates Talos call kubelet api to check pod run status. In case rotate-server-certificates - talos cannot do it.

github-actions[bot] commented 1 week ago

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] commented 6 days ago

This issue was closed because it has been stalled for 7 days with no activity.