-
Siegfried Weber authored
Problem: Only the client CA is passed to the kube-controller-manager and therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are signed with the client CA. Serving certificates must be signed with the server CA otherwise e.g. "kubectl logs" fails with the error message "x509: certificate signed by unknown authority". Solution: Instead of providing only one CA via the kube-controller-manager parameter "--cluster-signing-cert-file", the corresponding CA for every signer is set with the parameters "--cluster-signing-kube-apiserver-client-cert-file", "--cluster-signing-kubelet-client-cert-file", "--cluster-signing-kubelet-serving-cert-file", and "--cluster-signing-legacy-unknown-cert-file". Signed-off-by:
Siegfried Weber <mail@siegfriedweber.net> (cherry picked from commit e77fd182)
2b2f3182
