You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
+13-14Lines changed: 13 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,7 +48,7 @@ The CertificateSigningRequest `status.certificate` field is empty until the sign
48
48
49
49
Once the `status.certificate` field has been populated, the request has been completed and clients can now
50
50
fetch the signed certificate PEM data from the CertificateSigningRequest resource.
51
-
Signers can instead deny certificate signing if the approval conditions are not met.
51
+
The signers can instead deny certificate signing if the approval conditions are not met.
52
52
53
53
In order to reduce the number of old CertificateSigningRequest resources left in a cluster, a garbage collection
54
54
controller runs periodically. The garbage collection removes CertificateSigningRequests that have not changed
@@ -67,10 +67,10 @@ This includes:
67
67
1.**Permitted subjects**: any restrictions on and behavior when a disallowed subject is requested.
68
68
1.**Permitted x509 extensions**: including IP subjectAltNames, DNS subjectAltNames, Email subjectAltNames, URI subjectAltNames etc, and behavior when a disallowed extension is requested.
69
69
1.**Permitted key usages / extended key usages**: any restrictions on and behavior when usages different than the signer-determined usages are specified in the CSR.
70
-
1.**Expiration/certificate lifetime**: whether it is fixed by the signer, configurable by the admin, determined by the CSR object etc and behavior if an expiration different than the signer-determined expiration is specified in the CSR.
70
+
1.**Expiration/certificate lifetime**: whether it is fixed by the signer, configurable by the admin, determined by the CSR object etc and the behavior when an expiration is different than the signer-determined expiration that is specified in the CSR.
71
71
1.**CA bit allowed/disallowed**: and behavior if a CSR contains a request a for a CA certificate when the signer does not permit it.
72
72
73
-
Commonly, the `status.certificate` field contains a single PEM-encoded X.509 certificate once the CSR is approved and the certificate is issued. Some signers store multiple certificates into the `status.certificate` field. In that case, the documentation for the signer should specify the meaning of additional certificates; for example, this might be certificate plus intermediates to be presented during TLS handshakes.
73
+
Commonly, the `status.certificate` field contains a single PEM-encoded X.509 certificate once the CSR is approved and the certificate is issued. Some signers store multiple certificates into the `status.certificate` field. In that case, the documentation for the signer should specify the meaning of additional certificates; for example, this might be the certificate plus intermediates to be presented during TLS handshakes.
74
74
75
75
### Kubernetes signers
76
76
@@ -88,33 +88,32 @@ Kubernetes provides built-in signers that each have a well-known `signerName`:
88
88
1.`kubernetes.io/kube-apiserver-client-kubelet`: signs client certificates that will be honored as client-certs by the
89
89
kube-apiserver.
90
90
May be auto-approved by {{< glossary_tooltip term_id="kube-controller-manager" >}}.
91
-
1. Trust distribution: signed certificates must be honored as client-certificates by the kube-apiserver. The CA bundle
91
+
1. Trust distribution: signed certificates must be honored as client-certificates by the kube-apiserver. The CA bundle
92
92
is not distributed by any other means.
93
93
1. Permitted subjects - organizations are exactly `[]string{"system:nodes"}`, common name starts with `"system:node:"`
1. Expiration/certificate lifetime - minimum of CSR signer or request. Sanity of the time is the concern of the signer.
96
+
1. Expiration/certificate lifetime - minimum of CSR signer or request. The signer is responsible for checking that the certificate lifetime is valid and permissible.
97
97
1. CA bit allowed/disallowed - not allowed.
98
98
99
99
1.`kubernetes.io/kubelet-serving`: signs serving certificates that are honored as a valid kubelet serving certificate
100
100
by the kube-apiserver, but has no other guarantees.
101
101
Never auto-approved by {{< glossary_tooltip term_id="kube-controller-manager" >}}.
102
-
1. Trust distribution: signed certificates must be honored by the kube-apiserver as valid to terminate connections to a kubelet.
103
-
The CA bundle is not distributed by any other means.
102
+
1. Trust distribution: signed certificates must be honored by the kube-apiserver as valid to terminate connections to a kubelet. The CA bundle is not distributed by any other means.
104
103
1. Permitted subjects - organizations are exactly `[]string{"system:nodes"}`, common name starts with `"system:node:"`
105
104
1. Permitted x509 extensions - honors key usage and DNSName/IPAddress subjectAltName extensions, forbids EmailAddress and URI subjectAltName extensions, drops other extensions. At least one DNS or IP subjectAltName must be present.
1. Expiration/certificate lifetime - minimum of CSR signer or request.
108
107
1. CA bit allowed/disallowed - not allowed.
109
108
110
109
1.`kubernetes.io/legacy-unknown`: has no guarantees for trust at all. Some distributions may honor these as client
111
-
certs, but that behavior is not standard Kubernetes behavior.
110
+
certs, but that behavior is non-standard Kubernetes behavior.
112
111
Never auto-approved by {{< glossary_tooltip term_id="kube-controller-manager" >}}.
113
112
1. Trust distribution: None. There is no standard trust or distribution for this signer in a Kubernetes cluster.
114
113
1. Permitted subjects - any
115
114
1. Permitted x509 extensions - honors subjectAltName and key usage extensions and discards other extensions.
116
115
1. Permitted key usages - any
117
-
1. Expiration/certificate lifetime - minimum of CSR signer or request. Sanity of the time is the concern of the signer.
116
+
1. Expiration/certificate lifetime - minimum of CSR signer or request. The signer is responsible for checking that the certificate lifetime is valid and permissible.
118
117
1. CA bit allowed/disallowed - not allowed.
119
118
120
119
{{< note >}}
@@ -228,7 +227,7 @@ rules:
228
227
229
228
## Normal User
230
229
231
-
Few steps are required in order to get normal user to be able to authenticate and invoke API. First, this user must have certificate issued by the Kubernetes Cluster, and then present that Certificate into the API call as the Certificate Header, or through the kubectl.
230
+
There are a few steps are required in order to get normal user to be able to authenticate and invoke API. First, this user must have certificate issued by the Kubernetes Cluster, and then present that Certificate into the API call as the Certificate Header, or through the kubectl.
0 commit comments