support kubelet bootstrap TLS

目前kubelet的证书签发机制存在以下问题:

- 安全性不高
- 非最佳实践
- 多节点使用相同证书
- 无法处理证书轮换

期望改进如下:
- [使用启动引导令牌（Bootstrap Tokens）认证](https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
- [令牌认证文件](https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
- [授权 kubelet 创建 CSR](https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#authorize-kubelet-to-create-csr)
```shell
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
```
- 配置bootstrap-kubelet.conf(--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf)
```shell
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://${api-server}:6443 --kubeconfig=bootstrap-kubelet.conf
kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=bootstrap-kubelet.conf
kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=bootstrap-kubelet.conf
kubectl config use-context default --kubeconfig=bootstrap-kubelet.conf
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

support kubelet bootstrap TLS #1

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

support kubelet bootstrap TLS #1

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions