#openstack-containers log

09:03:52 <flwang1> #startmeeting magnum
09:03:53 <openstack> Meeting started Wed Aug 12 09:03:52 2020 UTC and is due to finish in 60 minutes.  The chair is flwang1. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:03:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:03:56 <openstack> The meeting name has been set to 'magnum'
09:04:16 <flwang1> i only have one thing to bring to you guys  attention
09:04:29 <flwang1> but i'd like to allow you guys talk first
09:04:38 <flwang1> brtknr: anything from your side?
09:06:01 <brtknr> well there's a bunch of open reviews which would be good to deal with:  https://review.opendev.org/#/q/project:openstack/magnum+status:open
09:08:06 <flwang1> brtknr: sure, i will start to review them soon
09:08:17 <flwang1> just had a quick look, most of them are small changes
09:08:49 <brtknr> atm, k8s-atomic is broken on master without this patch: https://review.opendev.org/#/c/745359/
09:09:20 <brtknr> thats about it really
09:09:27 <brtknr> what do you need to talk about?
09:10:04 <flwang1> brtknr: is the failure of magnum-tempest-plugin-tests-api related?
09:10:39 <flwang1> brtknr: i'd like to propose a patch to support separate CA for etcd and front-proxy
09:10:56 <flwang1> it's a security risk
09:11:52 <brtknr> flwang1: no magnum-tempest-plugin-tests-api only deploys coreos
09:12:04 <brtknr> flwang1: no magnum-tempest-plugin-tests-api only deploys fedora-coreos
09:12:46 <brtknr> flwang1: ok how is it a security risk?
09:13:22 <flwang1> now we're sharing the same ca cert for kubelet, etcd and front-proxy
09:13:35 <flwang1> which means user can use the ca cert in any node to access etcd
09:14:53 <brtknr> but a user that has access to a node also has access to any cert
09:17:49 <flwang1> we're talking about the case that the node is hacked
09:18:39 <flwang1> it's a typical best practice by any k8s install tool or managed services
09:21:17 <flwang1> i can't find the link on k8s doc, i will show you later
09:22:02 <brtknr> flwang1:
09:22:30 <brtknr> i guess it makes sense from the POV of separating CA for kubelet and etcd
09:22:38 <brtknr> since etcd  is usually running on master
09:22:50 <brtknr> and normal workload only runs on minions
09:23:09 <flwang1> yes, it's
09:24:31 <flwang1> brtknr: did you get a chance to revisit the ca rotate patch?
09:24:58 <jakeyip> I'd like to know more about this too, can share the doc here if you don't mind?
09:25:10 <flwang1> jakeyip: which one?
09:25:37 <jakeyip> security best practice of separating certs
09:26:14 <flwang1> https://github.com/kubernetes/kubeadm/issues/710
09:26:42 <flwang1> https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/
09:30:18 <flwang1> jakeyip: does that make sense?
09:30:49 <flwang1> it's actually quite straighforward to implement
09:31:09 <flwang1> we may need a db schema change to add extra fields
09:34:41 <jakeyip> I don't think I'm knowledgable enough to give comments
09:34:59 <jakeyip> stupid question - do the minions not need to contact etcd to report in their status?
09:38:50 <flwang1> minions only talk to api server
09:42:53 <jakeyip> ok I will need to read up more
09:43:51 <jakeyip> what is this etcd used for?
09:44:51 <jakeyip> anyway I've got a question if no one is discussing anything else?
09:46:49 <brtknr> re
09:46:51 <brtknr> sure
09:47:40 <jakeyip> anyone uses istio? any idea if deploying a service mesh with magnum is a good idea?
09:47:59 <brtknr> flwang1: thanks for reminding me about CA rotate patch, I will take a look at it when I have some free time next week, busy all week this week on a scheduled piece of work Im afraid
09:48:23 <flwang1> brtknr: thanks
09:48:34 <flwang1> jakeyip: we're not using istio yet
09:48:41 <brtknr> jakeyip: ive tried istio last year, the older version seemed to work okay, the newer version i had some issues with
09:48:49 <flwang1> but i'm happy to see if you want to contribute it
09:49:13 <jakeyip> brtknr: what kind of issues?
09:49:33 <brtknr> i cant remember, it didnt deploy cleanly
09:49:39 <brtknr> i was just following the docs
09:49:50 <jakeyip> flwang1: sure. all these are pretty new to us and is just a question from users for now
09:54:57 <flwang1> anything else?
09:55:03 <flwang1> i'm going to off now
09:57:16 <flwang1> #endmeeting