Skip to content
This repository has been archived by the owner on Feb 10, 2022. It is now read-only.

kube-apiserver should use a different certificate for the requestheader-client-ca-file #214

Open
tvs opened this issue Jun 7, 2018 · 2 comments
Open

kube-apiserver should use a different certificate for the requestheader-client-ca-file #214

tvs opened this issue Jun 7, 2018 · 2 comments
Labels
unscheduled

Comments

@tvs
Copy link
Member

tvs commented Jun 7, 2018

The API server should have a specific CA certificate for the Aggregator rather than reusing the kubo_ca. By reusing kubo_ca we're blurring trust boundaries and possibly opening up new attack vectors that wouldn't otherwise exist.

Configure the aggregation layer: Enable apiserver flags
Serving Certificates, Authentication, and Authorization: RequestHeader Authentication
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/158193278

The labels on this github issue will be updated when the story is started.

@alex-slynko
Copy link
Member

  1. Does Service-catalog use API-extensions?
  2. Who uses Aggregator API?
  3. How do they provide the certificate for it?
  4. What is an upgrade path for such people?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
unscheduled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvs @alex-slynko @cf-gitbot