Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use FreeIPA subCa to be the Kubernetes cluster external CA #72

Open
Tcharl opened this issue May 23, 2021 · 1 comment
Open

Use FreeIPA subCa to be the Kubernetes cluster external CA #72

Tcharl opened this issue May 23, 2021 · 1 comment

Comments

@Tcharl
Copy link
Member

Tcharl commented May 23, 2021

Describe the Enhancement:

As expressed in the Kube PKI documentation, an external CA can be used instead of the kubeadm-generated one.
This would help to integrate FreeIPA and Kube better, the ultimate goal being to have cluster admins and developpers authenticated via FreeIPA-generated certificates containing their Kubernetes roles in the 'O' section

Describe the Need:

Enhance security

Current Alternative

Using certs generated by Kubernetes CA, but it is not related to freeipa at all
@Tcharl
Copy link
Member Author

Tcharl commented Jun 4, 2023

End user reverse proxy: freeipa to generate kube admins/ops certificates, no additionnal CA to download but the frreipa one from an end user perspective
Technical Added value: apiserver to be protected by reverse proxy instead of firewalld rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Tcharl