cluster-api
cluster-api copied to clipboard
kubernetes-sigs
Bump RSA key size to 3072-bits to meet German federal BSI Technical Guideline TR-02102-2
What steps did you take and what happened?
Use kubeadmcontrolplane
What did you expect to happen?
This would have been a feature request, but as of 2024/1/1 this is now a bug. Germany's BSI (Federal Office for Information Security) requires government systems to use at least 3000 bit RSA keys since 2024/1/1. This means that kubeadm cannot meet federal security standards as the 2048-bit RSA key length is hardcoded.
3000+ bit keys are considered good until 2030.
Recommend changing the default to 3072-bits. This should have no impact on existing clusters.
Cluster API version
main / v1.6.1
Kubernetes version
N/A
Anything else you would like to add?
No other deltas with the standard were found.
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10
Label(s) to be applied
/kind bug One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels.
This issue is currently awaiting triage.
If CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Discussion in Slack suggests that we should provide options rather than change defaults, and encourage people to go to elliptic curve where possible.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
@sbueringer: This request has been marked as needing help from a contributor.
Guidelines
Please ensure that the issue body includes answers to the following questions:
- Why are we solving this issue?
- To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
- Does this issue have zero to low barrier of entry?
- How can the assignee reach out to you for help?
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
In response to this:
/help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
Note: when looking into this, we should always consider the ClusterConfiguration.EncryptionAlgorithm field added in the kubeadm v1beta4 API, but currently not surfaced in the KubeadmConfig API.
Thank you very much!
Took a closer look and discussed it with Fabrizio.
Overall this is pretty similar to the work for cert validitiy periods.
The plan would be:
- Add
EncryptionAlgorithmfield to the CABPK / KCP API and fix conversion- Same enum values as in the kubeadm API (but copy the values from the kubeadm API don't import them)
- Field on KCP should be mutable, so we have to allow mutation in the KCP webhook: main/controlplane/kubeadm/internal/webhooks/kubeadm_control_plane.go#L176 (+ unit test coverage)
- Regarding conversion from public types to upstreamv1betax: EncryptionAlgorithm is only available in the kubeadm v1beta4 API (similar to
CACertificateValidityPeriod)
- We should use the field whenever we create a new private key for CAs / service account / KCP kubeconfig / certs on the Machine (last one is covered by adding it to the ClusterConfiguration)
- We have to keep ClusterConfiguration updated in the kubeadm-config ConfigMap (similar to
UpdateCertificateValidityPeriodDays) - Add EncryptionAlgorithm to the ClientCertEntry (see TODO added in: https://github.com/kubernetes-sigs/cluster-api/pull/12846)
cc @neolit123 @randomvariable (in case you want to add something on top of: https://github.com/kubernetes-sigs/cluster-api/issues/10077#issuecomment-3391253596)
@sbueringer: Closing this issue.
In response to this:
/close
Thx @Karthik-K-N !!
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.