ClusterTrustBundles (previously Trust Anchor Sets)

[ahmedtd]

Enhancement Description

• One-line enhancement description (can be used as a release note): Define ClusterTrustBundle, a resource for holding X.509 trust anchors
• Kubernetes Enhancement Proposal: link
• Discussion Link: Draft doc w/ comments SIG Auth Meeting
• Primary contact (assignee): @ahmedtd
• Responsible SIGs: sig-auth
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.27 (API), 1.28 (Kubelet)
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): ??
• 1.27 - Alpha
  • KEP (k/enhancements) update PR(s):
    • KEP-3257: Trust Anchor Sets #3258
    • kep-3257: Update target milestone, record reviewers / approvers #3826
  • Code (k/k) update PR(s):
    • Add certificates.k8s.io/v1alpha1 ClusterTrustBundle kubernetes#113218
  • Docs (k/website) update PR(s):
    • ClusterTrustBundles: Add section to certificates page website#40065
• 1.28 - Alpha
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
    • Implement ClusterTrustBundlePEM projected volume kubernetes#113374
  • Docs (k/website) update PR(s):
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-3257: cluster trust bundles: add a new in-tree signer and its CTB #4791
    • KEP-3257: bump CTB beta/latest-milestone to 1.33 #5025
  • Code (k/k) update PR(s):
    • trustbundles: add a new kube-apiserver-serving signer kubernetes#127326
    • ClusterTrustBundles - move to beta kubernetes#128499
  • Docs (k/website) update(s): Label kubernetes.io/cluster-trust-bundle-version not documented website#41481

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[ahmedtd]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[ritazh]

/remove-lifecycle rotten

[marosset]

Hello @ahmedtd 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage alpha for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.26
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

• Merge KEP-3257: Trust Anchor Sets #3258

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[ahmedtd]

I'm planning to address these issues today.

[Ritikaa96]

Hey all!! while checking out this KEP there was a label that wasnt documented in the k8s docs , we tried searching for its use but couldnt find any in the current code.
So a per this comment, can we change this label kubernetes.io/cluster-trust-bundle-version to be, eg, k8s.example/cluster-trust-bundle-version ?

[sftim]

If the change is OK to make, that's a change to the KEP itself, and not to any code.

[Ritikaa96]

yes, so the change will be only in the KEP-3257: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles
The only place it is used is here in the KEP, for ref

[Ritikaa96]

Just updated the label kubernetes.io/cluster-trust-bundle-version in PR: #4971

[sftim]

How do we feel about v1.33 for the beta promotion?

[stlaz]

How do we feel about v1.33 for the beta promotion?

That's something I'd like to do. The PR is up already, I just did not manage to get it reviewed in time the last release.

[dipesh-rawat]

Hello @ahmedtd 👋, 1.33 Enhancements Lead here.

It looks like this enhancement is being worked on as part of v1.33, so I’ve set the milestone accordingly. If this isn’t accurate, please let me know!

/milestone v1.33

[liggitt]

Plan is to promote to beta in 1.33
/milestone v1.33
/label lead-opted-in

[bianbbc87]

Hello @ahmedtd @enj 👋, v1.33 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th February 2025 / 19:00 PDT Thursday 13th February 2025.

This enhancement is targeting stage beta for v1.33 (correct me, if otherwise)

Here’s where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.33. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria.
• KEP has submitted a production readiness review request for approval and has a reviewer assigned.
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as Tracked for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[enj]

@bianbbc87 the milestone was already updated in #5025

[bianbbc87]

@enj
Hi ! I've checked the changes.

It would be great if you could add #5025 to Beta KEP.
Thank you. :)

[bianbbc87]

@enj
Hi! I changed the beta release target to 1.33.
If you have any problems, please feel free to let me know.

Thank you :)

[Urvashi0109]

Hello @ahmedtd @enj 👋, v1.33 Docs Shadow here.

Does this enhancement work planned for v1.33 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.33 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 27th February 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!