enhancements icon indicating copy to clipboard operation
enhancements copied to clipboard

Published 20 hours ago β€’ verified publisher icon kubernetes

Harden Kubelet Serving Certificate Validation in Kube-API server

Open g-gaston opened this issue 1 year ago β€’ 16 comments

Enhancement Description

  • One-line enhancement description (can be used as a release note): Harden Kubelet Serving Certificate Validation in Kube-API server
  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4872-harden-kubelet-cert-validation/README.md
  • Discussion Link: sig-auth meeting on August 28th 2024, implementation discussion on May 7th, 2025
  • Primary contact (assignee): @g-gaston
  • Responsible SIGs: sig-auth
  • Enhancement target (which target equals to which milestone):
    • Alpha release target (x.y): 1.34
    • Beta release target (x.y):
    • Stable release target (x.y):
  • [ ] Alpha
    • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/4911
    • [ ] Code (k/k) update PR(s):
    • [ ] Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

g-gaston avatar Sep 24 '24 19:09 g-gaston

/sig auth

g-gaston avatar Sep 24 '24 19:09 g-gaston

I imagine this is also relevant to SIG Security.

sftim avatar Sep 25 '24 15:09 sftim

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 07 '25 02:01 k8s-triage-robot

/remove-lifecycle stale

g-gaston avatar Jan 07 '25 14:01 g-gaston

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Apr 07 '25 15:04 k8s-triage-robot

/remove-lifecycle stale

g-gaston avatar Apr 07 '25 21:04 g-gaston

Moving to opted-in for alpha for 1.34, agreement during 1.34 planning from leads that we'd like to try to get this in

liggitt avatar Apr 28 '25 13:04 liggitt

Hi @g-gaston :wave:, v1.34 Enhancements team here.

This is a reminder of the upcoming PRR Freeze on Thursday 12th June 2025.

By this date, there must be a PR open in k/enhancements with:

  • The KEP's PRR questionnaire filled out.
  • The kep.yaml updated with the stage, latest-milestone, and milestone struct filled out.
  • A PRR approval file with the PRR approver listed for the stage the KEP is targeting.

Having the PRR questionnaire filled out by this deadline will help ensure that the PRR team has enough time to review your KEP before Enhancements Freeze on Friday 20th June 2025. For more information on the PRR process, see here.

stmcginnis avatar Jun 06 '25 11:06 stmcginnis

@stmcginnis done! thanks https://github.com/kubernetes/enhancements/pull/4911

g-gaston avatar Jun 09 '25 16:06 g-gaston

Hello @g-gaston πŸ‘‹, v1.34 Enhancements team here again.

Just checking in as we approach Enhancements Freeze on 21:00 UTC Friday 20th June 2025.

This enhancement is targeting stage alpha for v1.34 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [ ] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [ ] KEP status is marked as implementable for latest-milestone: v1.34.
  • [ ] KEP readme has up-to-date graduation criteria
  • [ ] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on { PRR_FREEZE_DATETIME } so that the PRR team has enough time to review your KEP.

For this KEP, we would just need to update the following:

  • KEP merged to k/enhancements repo
  • PRR completed and merged

The status of this enhancement is marked as At risk for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

stmcginnis avatar Jun 11 '25 16:06 stmcginnis

Hey πŸ‘‹ - just a friendly reminder that enhancement freeze is coming up in just a few days. If we know this enhancement will not make it for 1.34, please remove or update the target milestone.

Also a reminder that, if necessary, you can file a freeze exception request. Thanks!

stmcginnis avatar Jun 17 '25 17:06 stmcginnis

Hey πŸ‘‹ - just a friendly reminder that enhancement freeze is coming up in just a few days. If we know this enhancement will not make it for 1.34, please remove or update the target milestone.

Also a reminder that, if necessary, you can file a freeze exception request. Thanks!

@stmcginnis we are working on the last round of reviews and we should have the kep PR merged in the next couple of days, including PRR approval

g-gaston avatar Jun 17 '25 17:06 g-gaston

@stmcginnis #4911 is merged.

enj avatar Jun 18 '25 01:06 enj

Hi @g-gaston πŸ‘‹ -- this is Dipesh (@dipesh-rawat) from the v1.34 Communications Team!

For the v1.34 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features which fall into (but not limited to) the following categories:

  • This introduces some breaking change(s)
  • This has significant impacts and/or implications to users
  • ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail πŸŽ‰

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Friday 11th July? For more information about writing a blog, please find the blog contribution guidelines πŸ“š

[!Tip] Some timeline to keep in mind:

  • 02:00 UTC Friday 11th July 2025: Feature blog PR freeze
  • Friday 8th August 2025: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

dipesh-rawat avatar Jun 21 '25 15:06 dipesh-rawat

Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/issues/4872

This should be a link to the KEP markdown, not to this issue.

https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4872-harden-kubelet-cert-validation/README.md

BenTheElder avatar Jun 23 '25 16:06 BenTheElder

Hello @enj πŸ‘‹, 1.34 Docs Lead here.

Does this enhancement work planned for 1.34 require any new docs or modification to existing docs? If so, please follows the steps here to open a PR against dev-1.34 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 3rd July 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

michellengnx avatar Jun 27 '25 16:06 michellengnx

Hello @enj πŸ‘‹, 1.34 Docs Lead here.

Does this enhancement work planned for 1.34 require any new docs or modification to existing docs? If so, please follows the steps here to open a PR against dev-1.34 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 3rd July 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

Hi @enj πŸ‘‹, 1.34 Docs Shadow here.

Just a reminder to open a placeholder PR against the dev-1.34 branch in the k/website repo if this KEP needs new or updated docs. (steps available here) If this KEP doesn’t require any docs updates, please kindly confirm that here too.

The deadline for this is Thursday, July 3 at 18:00 PDT. Thanks! πŸš€

yujen77300 avatar Jul 02 '25 00:07 yujen77300

Hey again @enj πŸ‘‹, 1.34 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Friday 25th July 2025 .

Here's where this enhancement currently stands:

  • [ ] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • [ ] All PRs are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it doesn't appear there are any implementation PRs linked in the description. Please add those as soon as possible.

If the implementation work for this enhancement is occurring out-of-tree (i.e., outside of k/k), please link the relevant PRs in the issue description for visiblity. Alternativelty, if you're unable to provide specific PR links, a confirmation that all out-of-tree implementation work is complete and merged will help us finalize tracking and maintain accuracy.

The status of this enhancement is marked as At risk for code freeze.

If you anticipate missing code freeze, you can file an exception request in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

stmcginnis avatar Jul 03 '25 18:07 stmcginnis

Hi @g-gaston @enj πŸ‘‹, v1.34 Communications Team here again!

This is a gentle reminder for the feature blog deadline mentioned previously (here), which is 02:00 UTC Friday 11th July 2025. To opt in, please let us know and open a Feature Blog placeholder PR against k/website by the deadline. If you have any questions, please feel free to reach out to us!

[!Tip] Some timeline to keep in mind:

  • 02:00 UTC Friday 11th July 2025: Feature blog PR freeze
  • Friday 8th August 2025: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

dipesh-rawat avatar Jul 07 '25 13:07 dipesh-rawat

Unfortunately, the implementation (code related) PR(s) associated with this enhancement are not in the merge-ready state by code-freeze and hence this enhancement is now removed from the v1.34 milestone.

Additionally, if any of the merged implementation PRs for this enhancement include user-facing changes, please let us know. This will help us determine whether the changes should be documented or considered for rollback to maintain release integrity.

If you still wish to progress this enhancement in v1.34, please file an exception request as soon as possible, within three days. If you have any questions, you can reach out in the #release-enhancements channel on Slack and we'll be happy to help. Thanks!

/label tracked/no /milestone clear

jenshu avatar Jul 25 '25 02:07 jenshu

Hi @g-gaston :wave:, v1.35 Enhancements Lead here.

I am closing the v1.34 milestone now.

If you'd like to work on this enhancement in v1.35, please have the SIG lead opt-in by adding the lead-opted-in label, which ensures it gets added to the tracking board. Also, please set the milestone to v1.35 using /milestone v1.35.

Thanks!

/remove-label lead-opted-in /remove-label tracked/no

rayandas avatar Sep 17 '25 12:09 rayandas

Hello @enj πŸ‘‹, v1.35 Enhancements team here.

This is a reminder of the upcoming PRR freeze on Thursday 9th October 2025 (AoE) / Friday 10th October 2025, 12:00 UTC.

This enhancement is targeting stage alpha for v1.35 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [x] PR open or merged with the KEP's PRR questionnaire filled out.
  • [x] PR open or merged with kep.yaml updated with the stage, latest-milestone, and milestone struct filled out.
  • [x] PR open or merged with a PRR approval file with the PRR approver listed for the stage the KEP is targeting.

Note that the PRs are not required to be approved or merged by the PRR freeze deadline. Having the PRR questionnaire filled out by the deadline will help ensure that the PRR team has enough time to review your KEP before enhancements freeze on Thursday 16th October 2025 (AoE) / Friday 17th October 2025, 12:00 UTC. For more information on the PRR process, see here.

With all the PRR freeze requirements in place, this enhancement is now marked as Tracked for PRR freeze! Please keep the issue description up-to-date with appropriate stages as well.

/label tracked/yes

jmickey avatar Oct 05 '25 22:10 jmickey

Hello @enj πŸ‘‹, v1.35 Enhancements team here.

Just checking in as we approach enhancements freeze on Thursday 16th October 2025 (AoE) / Friday 17th October 2025, 12:00 UTC.

This enhancement is targeting stage alpha for v1.35 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [X] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [X] KEP status is marked as implementable for latest-milestone: v1.35. KEPs targeting stable will need to be marked as implemented after code PRs are merged.
  • [X] KEP readme has up-to-date graduation criteria.
  • [X] KEP has submitted a production readiness review request for approval and has a reviewer assigned.
  • [X] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. πŸš€

The status of this enhancement is marked as Tracked for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

jmickey avatar Oct 15 '25 02:10 jmickey

Hello @enj :wave:, v1.35 Docs Shadow here.

Does this enhancement work planned for v1.35 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.35 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 23th October 2025.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release. Thank you!

Jimmykhangnguyen avatar Oct 15 '25 17:10 Jimmykhangnguyen

Hello @enj @g-gastonπŸ‘‹, this is Aakanksha (@aakankshabhende) from the v1.35 Communications Team!

For the v1.35 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features which fall into (but not limited to) the following categories:

  • This introduces some breaking change(s)
  • This has significant impacts and/or implications to users
  • ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail πŸŽ‰

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Friday, 31st October? For more information about writing a blog, please find the blog contribution guidelines πŸ“š

[!Tip] Some timeline to keep in mind:

  • 12:00 UTC Friday, 31st October: Feature blog PR freeze
  • Friday, 21st November: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

aakankshabhende avatar Oct 19 '25 09:10 aakankshabhende

Hello @enj @g-gaston πŸ‘‹, v1.35 Docs Lead here.

Does this enhancement work planned for v1.35 require any new docs or modification to existing docs? If so, please follow the steps here to open a PR against dev-1.35 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 23th October 2025. Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

Urvashi0109 avatar Oct 20 '25 08:10 Urvashi0109

Hello @enj πŸ‘‹, v1.35 Docs Shadow here.

Does this enhancement work planned for v1.35 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.35 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 23th October 2025.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release. Thank you!

Hello @enj πŸ‘‹, We are closing in on the Placeholder PR deadline, Thursday 23rd October 2025. I'm dropping a reminder to please follow the guidelines mentioned in the quoted comment.

Urvashi0109 avatar Oct 21 '25 19:10 Urvashi0109

@Urvashi0109 no docs are planned for this release.

enj avatar Oct 23 '25 17:10 enj

Hi @enj @g-gastonπŸ‘‹, this is Aakanksha (@aakankshabhende) from v1.35 Communications Team here again!

This is a gentle reminder for the feature blog deadline mentioned above, which is 12:00 UTC Friday, 31st October. To opt in, please let us know and open a Feature Blog placeholder PR against k/website by the deadline. If you have any questions, please feel free to reach out to us!

[!Tip] Some timeline to keep in mind:

  • 12:00 UTC Friday, 31st October: Feature blog PR freeze
  • Friday, 21st November: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

aakankshabhende avatar Oct 27 '25 11:10 aakankshabhende

Hey again @enj πŸ‘‹, v1.35 Enhancements team here,

Just checking in as we approach code freeze and test freeze at Thursday 6th November 2025 (AoE) / Friday 7th November 2025, 12:00 UTC.

Here's where this enhancement currently stands:

  • [x] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • [x] All PRs are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

Per the issue description, these are all of the implementation (code-related) PRs for v1.35:

  • https://github.com/kubernetes/kubernetes/pull/133947

Please let me know (and keep the issue description updated) if there are any other PRs in k/k that we should track for this KEP, so that we can maintain accurate status.

If the implementation work for this enhancement is occurring out-of-tree (i.e., outside of k/k), please link the relevant PRs in the issue description for visibility. Alternatively, if you're unable to provide specific PR links, a confirmation that all out-of-tree implementation work is complete and merged will help us finalize tracking and maintain accuracy.

This enhancement is now marked as Tracked for code freeze!

Please note that KEPs targeting stable need to have the status field marked as implemented in the kep.yaml file after code PRs are merged.

/label tracked/yes

jmickey avatar Nov 01 '25 18:11 jmickey