Siegfried Weber e77fd18270 Sign CSRs for kubelet-serving with the server CA ... Problem: Only the client CA is passed to the kube-controller-manager and therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are signed with the client CA. Serving certificates must be signed with the server CA otherwise e.g. "kubectl logs" fails with the error message "x509: certificate signed by unknown authority". Solution: Instead of providing only one CA via the kube-controller-manager parameter "--cluster-signing-cert-file", the corresponding CA for every signer is set with the parameters "--cluster-signing-kube-apiserver-client-cert-file", "--cluster-signing-kubelet-client-cert-file", "--cluster-signing-kubelet-serving-cert-file", and "--cluster-signing-legacy-unknown-cert-file". Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>		2021-05-05 15:59:57 -07:00
..
agent	Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212)	2021-04-21 15:56:20 -07:00
config	Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212)	2021-04-21 15:56:20 -07:00
control	Sign CSRs for kubelet-serving with the server CA	2021-05-05 15:59:57 -07:00
executor	Add tombstone file to etcd and catch errc etcd channel (#2592)	2020-12-07 22:30:44 +02:00