You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/reference/kubernetes-api/authentication-resources/pod-certificate-request-v1beta1.md
+51-22Lines changed: 51 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,14 +70,6 @@ PodCertificateRequestSpec describes the certificate request. All fields are imm
70
70
71
71
nodeUID is the UID of the node the pod is assigned to.
72
72
73
-
-**pkixPublicKey** ([]byte), required
74
-
75
-
pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.
76
-
77
-
The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.
78
-
79
-
Signer implementations do not need to support all key types supported by kube-apiserver and kubelet. If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of "Denied" and a reason of "UnsupportedKeyType". It may also suggest a key type that it does support in the message field.
80
-
81
73
-**podName** (string), required
82
74
83
75
podName is the name of the pod into which the certificate will be mounted.
@@ -86,20 +78,6 @@ PodCertificateRequestSpec describes the certificate request. All fields are imm
86
78
87
79
podUID is the UID of the pod into which the certificate will be mounted.
88
80
89
-
-**proofOfPossession** ([]byte), required
90
-
91
-
proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.
92
-
93
-
It is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.
94
-
95
-
kube-apiserver validates the proof of possession during creation of the PodCertificateRequest.
96
-
97
-
If the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).
98
-
99
-
If the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)
100
-
101
-
If the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).
102
-
103
81
-**serviceAccountName** (string), required
104
82
105
83
serviceAccountName is the name of the service account the pod is running as.
@@ -114,6 +92,16 @@ PodCertificateRequestSpec describes the certificate request. All fields are imm
114
92
115
93
All signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project. There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver. It is currently unimplemented.
116
94
95
+
-**stubPKCS10Request** ([]byte), required
96
+
97
+
A PKCS#10 certificate signing request (DER-serialized) generated by Kubelet using the subject private key.
98
+
99
+
Most signer implementations will ignore the contents of the CSR except to extract the subject public key. The API server automatically verifies the CSR signature during admission, so the signer does not need to repeat the verification. CSRs generated by kubelet are completely empty.
100
+
101
+
The subject public key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.
102
+
103
+
Signer implementations do not need to support all key types supported by kube-apiserver and kubelet. If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of "Denied" and a reason of "UnsupportedKeyType". It may also suggest a key type that it does support in the message field.
104
+
117
105
-**maxExpirationSeconds** (int32)
118
106
119
107
maxExpirationSeconds is the maximum lifetime permitted for the certificate.
@@ -122,6 +110,32 @@ PodCertificateRequestSpec describes the certificate request. All fields are imm
122
110
123
111
The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.
124
112
113
+
-**pkixPublicKey** ([]byte)
114
+
115
+
The PKIX-serialized public key the signer will issue the certificate to.
116
+
117
+
The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.
118
+
119
+
Signer implementations do not need to support all key types supported by kube-apiserver and kubelet. If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of "Denied" and a reason of "UnsupportedKeyType". It may also suggest a key type that it does support in the message field.
120
+
121
+
Deprecated: This field is replaced by StubPKCS10Request. If StubPKCS10Request is set, this field must be empty. Signer implementations should extract the public key from the StubPKCS10Request field.
122
+
123
+
-**proofOfPossession** ([]byte)
124
+
125
+
A proof that the requesting kubelet holds the private key corresponding to pkixPublicKey.
126
+
127
+
It is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.
128
+
129
+
kube-apiserver validates the proof of possession during creation of the PodCertificateRequest.
130
+
131
+
If the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).
132
+
133
+
If the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)
134
+
135
+
If the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).
136
+
137
+
Deprecated: This field is replaced by StubPKCS10Request. If StubPKCS10Request is set, this field must be empty.
unverifiedUserAnnotations allow pod authors to pass additional information to the signer implementation. Kubernetes does not restrict or validate this metadata in any way.
@@ -382,6 +396,11 @@ GET /apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificatereque
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
43
+
metadata is standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
Status is filled in by the server with the user attributes.
47
+
status is filled in by the server with the user attributes.
48
48
49
49
50
50
@@ -58,28 +58,28 @@ SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
58
58
59
59
-**userInfo** (UserInfo)
60
60
61
-
User attributes of the user making this request.
61
+
userInfo is a set of attributes belonging to the user making this request.
62
62
63
63
<aname="UserInfo"></a>
64
64
*UserInfo holds the information about the user needed to implement the user.Info interface.*
65
65
66
66
-**userInfo.extra** (map[string][]string)
67
67
68
-
Any additional information provided by the authenticator.
68
+
extra is any additional information provided by the authenticator.
69
69
70
70
-**userInfo.groups** ([]string)
71
71
72
72
*Atomic: will be replaced during a merge*
73
73
74
-
The names of groups this user is a part of.
74
+
groups is the names of groups this user is a part of.
75
75
76
76
-**userInfo.uid** (string)
77
77
78
-
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
78
+
uid is a unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
79
79
80
80
-**userInfo.username** (string)
81
81
82
-
The name that uniquely identifies this user among all active users.
82
+
username is the name that uniquely identifies this user among all active users.
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
43
+
metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
Status is filled in by the server and indicates whether the token can be authenticated.
51
+
status is filled in by the server and indicates whether the token can be authenticated.
52
52
53
53
54
54
@@ -60,38 +60,38 @@ TokenRequestSpec contains client provided parameters of a token request.
60
60
61
61
<hr>
62
62
63
-
-**audiences** ([]string), required
63
+
-**audiences** ([]string)
64
64
65
65
*Atomic: will be replaced during a merge*
66
66
67
-
Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
67
+
audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
68
68
69
69
-**boundObjectRef** (BoundObjectReference)
70
70
71
-
BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
71
+
boundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
72
72
73
73
<aname="BoundObjectReference"></a>
74
74
*BoundObjectReference is a reference to an object that a token is bound to.*
75
75
76
76
-**boundObjectRef.apiVersion** (string)
77
77
78
-
API version of the referent.
78
+
apiVersion is API version of the referent.
79
79
80
80
-**boundObjectRef.kind** (string)
81
81
82
-
Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
82
+
kind of the referent. Valid kinds are 'Pod' and 'Secret'.
83
83
84
84
-**boundObjectRef.name** (string)
85
85
86
-
Name of the referent.
86
+
name of the referent.
87
87
88
88
-**boundObjectRef.uid** (string)
89
89
90
-
UID of the referent.
90
+
uid of the referent.
91
91
92
92
-**expirationSeconds** (int64)
93
93
94
-
ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
94
+
expirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
95
95
96
96
97
97
@@ -103,16 +103,16 @@ TokenRequestStatus is the result of a token request.
103
103
104
104
<hr>
105
105
106
-
-**expirationTimestamp** (Time), required
106
+
-**expirationTimestamp** (Time)
107
107
108
-
ExpirationTimestamp is the time of expiration of the returned token.
108
+
expirationTimestamp is the time of expiration of the returned token.
109
109
110
110
<aname="Time"></a>
111
111
*Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.*
0 commit comments