kubo-release icon indicating copy to clipboard operation
kubo-release copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry-incubator

kube-apiserver should use a different certificate for the requestheader-client-ca-file

Open tvs opened this issue 7 years ago • 2 comments

The API server should have a specific CA certificate for the Aggregator rather than reusing the kubo_ca. By reusing kubo_ca we're blurring trust boundaries and possibly opening up new attack vectors that wouldn't otherwise exist.

Configure the aggregation layer: Enable apiserver flags Serving Certificates, Authentication, and Authorization: RequestHeader Authentication

tvs avatar Jun 07 '18 17:06 tvs

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/158193278

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Jun 07 '18 17:06 cf-gitbot

  1. Does Service-catalog use API-extensions?
  2. Who uses Aggregator API?
  3. How do they provide the certificate for it?
  4. What is an upgrade path for such people?

alex-slynko avatar Jul 16 '18 11:07 alex-slynko