Merge pull request #32648 from liggitt/cert-audit

Add audit annotations for invalid certificates

Author: k8s-ci-robot

content/en/docs/reference/labels-annotations-taints/_index.md

@@ -495,8 +495,11 @@ based on setting `securityContext` within the Pod's `.spec`.
 
 ## Annotations used for audit
 
+<!-- sorted by annotation -->
 - [`authorization.k8s.io/decision`](/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-decision)
 - [`authorization.k8s.io/reason`](/docs/reference/labels-annotations-taints/audit-annotations/#authorization-k8s-io-reason)
+- [`insecure-sha1.invalid-cert.kubernetes.io/$hostname`](/docs/reference/labels-annotations-taints/audit-annotations/#insecure-sha1-invalid-cert-kubernetes-io-hostname)
+- [`missing-san.invalid-cert.kubernetes.io/$hostname`](/docs/reference/labels-annotations-taints/audit-annotations/#missing-san-invalid-cert-kubernetes-io-hostname)
 - [`pod-security.kubernetes.io/audit-violations`](/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-audit-violations)
 - [`pod-security.kubernetes.io/enforce-policy`](/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-enforce-policy)
 - [`pod-security.kubernetes.io/exempt`](/docs/reference/labels-annotations-taints/audit-annotations/#pod-security-kubernetes-io-exempt)

content/en/docs/reference/labels-annotations-taints/audit-annotations.md

@@ -73,3 +73,38 @@ Example: `authorization.k8s.io/decision: "Human-readable reason for the decision
 This annotation gives reason for the [decision](#authorization-k8s-io-decision) in Kubernetes audit logs.
 
 See [Auditing](/docs/tasks/debug-application-cluster/audit/) for more information.
+
+## missing-san.invalid-cert.kubernetes.io/$hostname
+
+Example: `missing-san.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "relies on a legacy Common Name field instead of the SAN extension for subject validation"`
+
+Used by Kubernetes version v1.24 and later
+
+This annotation indicates a webhook or aggregated API server
+is using an invalid certificate that is missing `subjectAltNames`.
+Support for these certificates was disabled by default in Kubernetes 1.19,
+and removed in Kubernetes 1.23.
+
+Requests to endpoints using these certificates will fail.
+Services using these certificates should replace them as soon as possible
+to avoid disruption when running in Kubernetes 1.23+ environments.
+
+There's more information about this in the Go documentation:
+[X.509 CommonName deprecation](https://go.dev/doc/go1.15#commonname).
+
+## insecure-sha1.invalid-cert.kubernetes.io/$hostname
+
+Example: `insecure-sha1.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "uses an insecure SHA-1 signature"`
+
+Used by Kubernetes version v1.24 and later
+
+This annotation indicates a webhook or aggregated API server
+is using an insecure certificate signed with a SHA-1 hash.
+Support for these insecure certificates is disabled by default in Kubernetes 1.24,
+and will be removed in a future release.
+
+Services using these certificates should replace them as soon as possible,
+to ensure connections are secured properly and to avoid disruption in future releases.
+
+There's more information about this in the Go documentation:
+[Rejecting SHA-1 certificates](https://go.dev/doc/go1.18#sha1).