Skip to content

Support for managing revoked certs #18982

New issue
New issue
Open
Open
Support for managing revoked certs#18982
Assignees
mikedanese
Labels
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/backlogHigher priority than priority/awaiting-more-evidence.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/authCategorizes an issue or PR as relevant to SIG Auth.
@stensonb

Description

@stensonb
stensonb
opened on Dec 21, 2015

Authenticating users via x509 certs is important, but the project seems to be missing a mechanism to revoke certs (without throwing the entire chain away and regenerating ALL certs for all users).

It would be great to be able to declare which certs are invalid, and have the kube-apiserver, kubelets, and all other cert-dependent services deny service for requests with the now-invalid cert.

https://en.wikipedia.org/wiki/OCSP_stapling appears to be one way to solve this.

FYI - this is the same idea as the issue with CoreOS: etcd-io/etcd#4034

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.priority/backlogHigher priority than priority/awaiting-more-evidence.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/authCategorizes an issue or PR as relevant to SIG Auth.

Type

No type

Projects

SIG Auth

Status

Needs KEP

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions