openstack-self-signed-certificates #191
Conversation
openshift-ci-robot
added
the
size/L
|
/label platform/openstack |
|
@iamemilio: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: eparis, iamemilio The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
Thanks so much for writing this - even after-the-fact it's quite useful as it serves as a central reference point for the change, is useful to docs writers and release notes, etc. |
|
|
||
| 1. It is possible to give services authorization/credentials that they dont need and shouldnt have, and this may pose a security risk. | ||
|
|
||
| > To prevent this, we make sure that only services that need the CA cert get access to it, and the cert we pass them only has the CA cert in it. |
There was a problem hiding this comment.
This is just the serve cert, right? There's no way to leverage that for privilege escalation is there, even if it was world-readable? If this was about client TLS certs/keys, that would be different, but as far as I can tell client-side auth is not covered in this enhancement.
|
|
||
| ### Upgrade / Downgrade Strategy | ||
|
|
||
| This should not affect the Upgrade/Downgrade functionality. |
There was a problem hiding this comment.
Well, it will break downgrade if you go from a 4.4 cluster that depends on this functionality to a 4.3 cluster that does not support it. That's generally true of features that add core functionality, but maybe still worth calling out here.
6 participants
Support for user CA certs on the openstack platform