Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with k8s.io/docs/reference/setup-tools/kubeadm/kubeadm-join/ giving insecure advice #16538

Closed
arianvp opened this issue Sep 24, 2019 · 2 comments · Fixed by #16557
Closed
Assignees
Labels
priority/backlog Higher priority than priority/awaiting-more-evidence. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.

Comments

@arianvp
Copy link

arianvp commented Sep 24, 2019

This is a Bug Report

Problem:

The docs mentions (emphasis mine)

Requires that you have some way to carry the discovery information from the control-plane node to the bootstrapping nodes. This might be possible, for example, via your cloud provider or provisioning tool. The information in this file is not secret, but HTTPS or equivalent is required to ensure its integrity.

But this is not true anymore. if the discovery file contains credentials, then kubeadm will use them. If it doesn't contain credentials an extra --tls-bootstrap-token needs to be provided. As it says a few sentences up:

In case the discovery file does not contain credentials, the TLS discovery token will be used.

Proposed Solution:

Either remove the part about the file not being secret. Or mention very clearly that if you put credentials in the kubeconfig, then you can skip the --tls-bootstrap-token step but you should treat the file as a secret

Page to Update:
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/

@neolit123
Copy link
Member

/assign
/sig cluster-lifecycle

@k8s-ci-robot k8s-ci-robot added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label Sep 24, 2019
@sftim
Copy link
Contributor

sftim commented Sep 24, 2019

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Sep 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority/backlog Higher priority than priority/awaiting-more-evidence. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants