Pod Certificates: Narrow documentation of new feature

The "Certificates" page is creaking under its own weight, and is due to
be split up.  This is being pursued in a separate PR:

  #51487

Author: ahmedtd

content/en/docs/concepts/storage/projected-volumes.md

@@ -25,6 +25,7 @@ Currently, the following types of volume sources can be projected:
 * [`configMap`](/docs/concepts/storage/volumes/#configmap)
 * [`serviceAccountToken`](#serviceaccounttoken)
 * [`clusterTrustBundle`](#clustertrustbundle)
+* [`podCertificate`](#podcertificate)
 
 All sources are required to be in the same namespace as the Pod. For more details,
 see the [all-in-one volume](https://git.k8s.io/design-proposals-archive/node/all-in-one-volume.md) design document.
@@ -96,6 +97,62 @@ By default, the kubelet will prevent the pod from starting if the named ClusterT
 
 {{% code_sample file="pods/storage/projected-clustertrustbundle.yaml" %}}
 
+
+## podCertificate projected volumes {#podcertificate}
+
+{{< feature-state feature_gate_name="PodCertificateRequest" >}}
+
+{{< note >}}
+In Kubernetes {{< skew currentVersion >}}, you must enable support for Pod
+Certificates using the `PodCertificateRequest` [feature
+gate](/docs/reference/command-line-tools-reference/feature-gates/) and the
+`--runtime-config=certificates.k8s.io/v1alpha1/podcertificaterequests=true`
+kube-apiserver flag.
+{{< /note >}}
+
+The `podCertificate` projected volumes source securely provisions a private key
+and X.509 certificate chain for pod to use as client or server credentials.
+Kubelet will then handle refreshing the private key and certificate chain when
+they get close to expiration.  The application just has to make sure that it
+reloads the file promptly when it changes, with a mechanism like `inotify` or
+polling.
+
+Each `podCertificate` projection supports the following configuration fields:
+* `signerName`: The
+  [signer](/docs/reference/access-authn-authz/certificate-signing-requests#signers)
+  you want to issue the certificate.  Note that signers may have their own
+  access requirements, and may refuse to issue certificates to your pod.
+* `keyType`: The type of private key that should be generated.  Valid values are
+  `ED25519`, `ECDSAP256`, `ECDSAP384`, `ECDSAP521`, `RSA3072`, and `RSA4096`.
+* `maxExpirationSeconds`: The maximum lifetime you will accept for the
+  certificate issued to the pod.  If not set, will be defaulted to `86400` (24
+  hours).  Must be at least `3600` (1 hour), and at most `7862400` (91 days).
+  Kubernetes built-in signers are restricted to a max lifetime of `86400` (1
+  day). The signer is allowed to issue a certificate with a lifetime shorter
+  than what you've specified.
+* `credentialBundlePath`: Relative path within the projection where the
+  credential bundle should be written.  The credential bundle is a PEM-formatted
+  file, where the first block is a "PRIVATE KEY" block that contains a
+  PKCS#8-serialized private key, and the remaining blocks are "CERTIFICATE"
+  blocks that comprise the certificate chain (leaf certificate and any
+  intermediates).
+* `keyPath` and `certificateChainPath`: Separate paths where Kubelet should
+  write *just* the private key or certificate chain.
+
+{{< note >}}
+
+Most applications should prefer using `credentialBundlePath` unless they need
+the key and certificates in separate files for compatibility reasons. Kubelet
+uses an atomic writing strategy based on symlinks to make sure that when you
+open the files it projects, you read either the old content or the new content.
+However, if you read the key and certificate chain from separate files, Kubelet
+may rotate the credentials after your first read and before your second read,
+resulting in your application loading a mismatched key and certificate.
+
+{{< /note >}}
+
+{{% code_sample file="pods/storage/projected-podcertificate.yaml" %}}
+
 ## SecurityContext interactions
 
 The [proposal](https://git.k8s.io/enhancements/keps/sig-storage/2451-service-account-token-volumes#proposal) for file permission handling in projected service account volume enhancement introduced the projected files having the correct owner permissions set.

content/en/docs/reference/access-authn-authz/certificate-signing-requests.md

@@ -376,6 +376,97 @@ you like. If you want to add a note for human consumption, use the
 `status.conditions.message` field.
 
 
+## PodCertificateRequests {#pod-certificate-requests}
+
+{{< feature-state feature_gate_name="PodCertificateRequest" >}}
+
+{{< note >}}
+In Kubernetes {{< skew currentVersion >}}, you must enable support for Pod
+Certificates using the `PodCertificateRequest` [feature
+gate](/docs/reference/command-line-tools-reference/feature-gates/) and the
+`--runtime-config=certificates.k8s.io/v1alpha1/podcertificaterequests=true`
+kube-apiserver flag.
+{{< /note >}}
+
+PodCertificateRequests are API objects tailored to provisioning certificates to
+workloads running as Pods within a cluster.  The user typically does not
+interact with PodCertificateRequests directly, but uses [podCertificate
+projected volume sources](
+/docs/concepts/storage/projected-volumes#podcertificate), which are a `kubelet`
+feature that handles secure key provisioning and automatic certificate refresh.
+The application inside the pod only needs to know how to read the certificates
+from the filesystem.
+
+PodCertificateRequests are similar to CertificateSigningRequests, but have a
+simpler format enabled by their narrower use case.
+
+A PodCertificateRequest has the following spec fields:
+* `signerName`: The signer to which this request is addressed.
+* `podName` and `podUID`: The Pod that Kubelet is requesting a certificate for.
+* `serviceAccountName` and `serviceAccountUID`: The ServiceAccount corresponding to the Pod.
+* `nodeName` and `nodeUID`: The Node corresponding to the Pod.
+* `maxExpirationSeconds`: The maximum lifetime that the workload author will
+  accept for this certificate.  Defaults to 24 hours if not specified.
+* `pkixPublicKey`: The public key for which the certificate should be issued.
+* `proofOfPossession`: A signature demonstrating that the requester controls the
+  private key corresponding to `pkixPublicKey`.
+
+Nodes automatically receive permissions to create PodCertificateRequests and
+read PodCertificateRequests related to them (as determined by the
+`spec.nodeName` field).  The `NodeRestriction` admission plugin, if enabled,
+ensures that nodes can only create PodCertificateRequests that correspond to a
+real pod that is currently running on the node.
+
+After creation, the `spec` of a PodCertificateRequest is immutable.
+
+Unlike CSRs, PodCertificateRequests do not have an
+approval phase.  Once the PodCertificateRequest is created, the signer's
+controller directly decides to issue or deny the request.  It also has the
+option to mark the request as failed, if it encountered a permanent error when
+attempting to issue the request.
+
+To take any of these actions, the signing controller needs to have the
+appropriate permissions on both the PodCertificateRequest type, as well as on
+the signer name:
+* Verbs: **update**, group: `certificates.k8s.io`, resource:
+  `podcertificaterequests/status`
+* Verbs: **sign**, group: `certificates.k8s.io`, resource: `signers`,
+  resourceName: `<signerNameDomain>/<signerNamePath>` or `<signerNameDomain>/*`
+
+The signing controller is free to consider other information beyond what's
+contained in the request, but it can rely on the information in the request to
+be accurate.  For example, the signing controller might load the Pod and read
+annotations set on it, or perform a SubjectAccessReview on the ServiceAccount.  
+
+To issue a certificate in response to a request, the signing controller:
+* Adds an `Issued` condition to `status.conditions`.
+* Puts the issued certificate in `status.certificateChain`
+* Puts the `NotBefore` and `NotAfter` fields of the certificate in the
+  `status.notBefore` and `status.notAfter` fields &mdash; these fields are
+  denormalized into the Kubernetes API in order to aid debugging
+* Suggests a time to begin attempting to refresh the certificate using
+  `status.beginRefreshAt`.
+
+To deny a request, the signing controller adds a "Denied" condition to
+`status.conditions[]`.
+
+To mark a request failed, the signing controller adds a "Failed" condition to
+`status.conditions[]`.
+
+All of these conditions are mutually-exclusive, and must have status "True".  No
+other condition types are permitted on PodCertificateRequests.  In addition,
+once any of these conditions are set, the `status` field becomes immutable.
+
+Like all conditions, the `status.conditions[].reason` field is meant to contain
+a machine-readable code describing the condition in TitleCase.  The
+`status.conditions[].message` field is meant for a free-form explanation for
+human consumption.
+
+To ensure that terminal PodCertificateRequests do not build up in the cluster, a
+`kube-controller-manager` controller deletes all PodCertificateRequests older
+than 15 minutes.  All certificate issuance flows are expected to complete within
+this 15-minute limit.
+
 ## Cluster trust bundles {#cluster-trust-bundles}
 
 {{< feature-state feature_gate_name="ClusterTrustBundle" >}}

content/en/docs/reference/command-line-tools-reference/feature-gates/PodCertificateRequests.md

@@ -0,0 +1,15 @@
+---
+title: PodCertificateRequest
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: alpha
+    defaultValue: false
+    fromVersion: "1.34"
+    toVersion: "1.37"
+---
+Enable PodCertificateRequest objects and podCertificate projected volume
+sources.

content/en/examples/pods/storage/projected-podcertificate.yaml

@@ -0,0 +1,26 @@
+# Sample Pod spec that uses a podCertificate projection to request an ED25519
+# private key, a certificate from the `coolcert.example.com/foo` signer, and
+# write the results to `/var/run/my-x509-credentials/credentialbundle.pem`.
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: default
+  name: podcertificate-pod
+spec:
+  serviceAccountName: default
+  containers:
+  - image: debian
+    name: main
+    command: ["sleep", "infinity"]
+    volumeMounts:
+    - name: my-x509-credentials
+      mountPath: /var/run/my-x509-credentials
+  volumes:
+  - name: my-x509-credentials
+    projected:
+      defaultMode: 420
+      sources:
+      - podCertificate:
+          keyType: ED25519
+          signerName: coolcert.example.com/foo
+          credentialBundlePath: credentialbundle.pem