Comments (9)
kfox1111
commented on July 21, 2024
1
@azdagron I agree, except that there has been an open issue about it in kubeadm for ages.It is the norm, not the exception. :/
kubernetes/kubeadm#1223
Honestly, I'd like to see the spire team work with the kubelet team and add spire support to kubelet, so that kubelet server/client certs are from spire itself. This would go a very long way to solve a very old Kubernetes problem.
from helm-charts.
faisal-memon
commented on July 21, 2024
what kind of additional config do we need to verify kubelet? Ive never run with that setting.
from helm-charts.
kfox1111
commented on July 21, 2024
I think the plugin config stuff we've been talking about could handle this override? will likely need other config as well to work such as including the ca that signed the kubelets.
from helm-charts.
azdagron
commented on July 21, 2024
I personally feel like skipping kubelet verification is the wrong default. As a project, we should aim for secure-by-default. If someone needs to disable that (because they are running in minikube) then they should be the special case.
from helm-charts.
faisal-memon
commented on July 21, 2024
I personally feel like skipping kubelet verification is the wrong default. As a project, we should aim for secure-by-default. If someone needs to disable that (because they are running in minikube) then they should be the special case.
Valid point. But still the first interaction most people will have with this project is through minikube or docker desktop. Id like it to work out of the gate on those platforms to ensure a good user experience. And then have guides for more production scale deployments.
from helm-charts.
kfox1111
commented on July 21, 2024
I think it might be good to add some warnings in the generated notes if the value is true though? Lets the user know there may be a problem. They can then choose to ignore it if they think it is not a problem, or they will know it needs fixing?
from helm-charts.
azdagron
commented on July 21, 2024
Is there a "so you want to run this in production? here's what to consider" checklist anywhere? I'm with @kfox1111, the louder we can be about this kind of stuff, the better.
from helm-charts.
kfox1111
commented on July 21, 2024
So far, we've been putting all the recommended settings in examples/production/values.yaml that the user can directly include. This is one of the first that we can't really do a setting but need the user to consider some things.
So, would the checklist being in the generated NOTES work better, as it can be generated to include/exclude things based on the users actual specified values, or should it be outside of the chart where it may get a bit more visibility?
from helm-charts.
kfox1111
commented on July 21, 2024
I could take a stab at a NOTES patch, but I think it probably should depend on #166. Would greatly simplify the checks if it could verify global.spire.profile[x].production was specified.
from helm-charts.
Related Issues (20)
- cert manager upstream has inconsistent casing
- pre-delete failure
- spire-server + tests selector HOT 1
- oidc is invalid when jwtIssuer includes protocol
- ClusterSPIFFEID CR is included when CRD is found in the chart HOT 10
- Poorly named property in upstream-spire-agent / spire-agent HOT 3
- Create a second kind of tiered deployment that has the upstream agent co-deployed in the spire-server Pod
- Cannot control deployment of sub charts in error avoiding patterns
- FAQ
- Uninstalling CSI Driver orphans all pods using the csidriver HOT 10
- ACTION REQUIRED: Changes to pulling Chainguard Images HOT 7
- No use of example.org HOT 1
- Setup and document the weekly meeting recordings. HOT 1
- spire-oidc does not start if federatesWith contains a down federated endpoint HOT 7
- New image has to be added to update-tags script
- High Availability HOT 11
- Upgrade tests
- We should review the migration of the PR for the Getting Started Documentation into the helm-charts project. HOT 1
- New documentation tool does not combine the docs from dependency charts in README.md
- 1.8 -> 1.9 changes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.