From 5b2f02f6dcfd1323c6aab4fbf483e63a953ef566 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 25 Jun 2021 22:08:10 -0400 Subject: [PATCH] csr: add expirationSeconds field to control cert lifetime This change updates the CSR API to add a new, optional field called expirationSeconds. This field is a request to the signer for the maximum duration the client wishes the cert to have. The signer is free to ignore this request based on its own internal policy. The signers built-in to KCM will honor this field if it is not set to a value greater than --cluster-signing-duration. The minimum allowed value for this field is 600 seconds (ten minutes). This change will help enforce safer durations for certificates in the Kube ecosystem and will help related projects such as cert-manager with their migration to the Kube CSR API. Future enhancements may update the Kubelet to take advantage of this field when it is configured in a way that can tolerate shorter certificate lifespans with regular rotation. Signed-off-by: Monis Khan Kubernetes-commit: cd91e59f7c351fce47c064a5162c2cb79075159c --- config/v1alpha1/types.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/v1alpha1/types.go b/config/v1alpha1/types.go index 9acd2b9..247f3fc 100644 --- a/config/v1alpha1/types.go +++ b/config/v1alpha1/types.go @@ -193,8 +193,8 @@ type CSRSigningControllerConfiguration struct { // legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown LegacyUnknownSignerConfiguration CSRSigningConfiguration - // clusterSigningDuration is the length of duration signed certificates - // will be given. + // clusterSigningDuration is the max length of duration signed certificates will be given. + // Individual CSRs may request shorter certs by setting spec.expirationSeconds. ClusterSigningDuration metav1.Duration }