diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst index 878d56907..c23efd7bf 100644 --- a/doc/source/security/kubernetes/https-access-overview.rst +++ b/doc/source/security/kubernetes/https-access-overview.rst @@ -33,6 +33,10 @@ in the following sections. +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | kubelet client certificate | Yes | auto-renewed by kubelet feature enabled by default | +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ + | front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job | + +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ + | front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years | + +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years | diff --git a/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst b/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst index 6627fb1bf..fa3856e7a 100644 --- a/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst +++ b/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst @@ -13,9 +13,9 @@ for the external ``kube-apiserver`` API endpoint. By default, the Kubernetes Root |CA| is automatically generated at install time. If desired, you can externally generate a Root |CA| certificate and key, and -configure it as the Kubernetes Root |CA| during installation. Upstream -Kubernetes (v1.18) only supports a Root |CA| for the Kubernetes Root |CA|; NOT -an Intermediate |CA|. +configure it as the Kubernetes Root |CA| during installation. Currently, +StarlingX supports only Internal |CA| mode with Kubernetes, which only supports +a Root |CA| for the Kubernetes Root |CA|, not an Intermediate |CA|. The public certificate of the Kubernetes Root |CA|, whether auto-generated or specified, needs to be configured as a trusted |CA| by external servers @@ -123,6 +123,17 @@ one file: This certificate is configured to auto renew. +**front-proxy-client certificate** + +Client certificates signed by ``front-proxy`` Root |CA| certificate. It is used +by ``apiserver/aggregator`` to connect to aggregated apiserver(extension +APIserver). + +**front-proxy-ca certificate** + +The ``front-proxy`` Root |CA| certificate. front-proxy certificates are +required only if you run ``kube-proxy`` to support an extension API server. + .. toctree:: :maxdepth: 1