-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
discuss CA checksum flag for kubeadm join #50
Labels
Comments
luxas
added
area/security
kind/enhancement
priority/backlog
Higher priority than priority/awaiting-more-evidence.
labels
Nov 25, 2016
dgoodwin
pushed a commit
to dgoodwin/kubeadm
that referenced
this issue
Feb 23, 2017
This patch adds a new binary: "checkpoint". The checkpoint program will ensure that the latest apiserver manifest is checkpointed, in case of a system / apiserver crash. It is implemented via static manifests. The checkpoint program will store a pod manifest on disk. When it detects an apiserver is not running, it will move that file into the directory that was specified as the kubelet's config dir. From there, the kubelet will see that pod manifest and run it. Once the program detects both our temporary apiserver and self-hosted apiserver is running, it will remove the manifest from the config dir, causing the kubelet to kill it and allow the self-hosted apiserver to take over.
@jbeda Is this something your new proposal will address? I guess so... |
Yeah -- feel free to close this and point it at the feature comment. If/when this results in a proposal we'll open new issues around that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
From @errordeveloper on October 3, 2016 11:31
It could prevent MITM, where attacker has guessed the JWS token, yet hasn't provided the same CA certificate.
Copied from original issue: kubernetes/kubernetes#33918
The text was updated successfully, but these errors were encountered: