09:03:52 #startmeeting magnum 09:03:53 Meeting started Wed Aug 12 09:03:52 2020 UTC and is due to finish in 60 minutes. The chair is flwang1. Information about MeetBot at http://wiki.debian.org/MeetBot. 09:03:54 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 09:03:56 The meeting name has been set to 'magnum' 09:04:16 i only have one thing to bring to you guys attention 09:04:29 but i'd like to allow you guys talk first 09:04:38 brtknr: anything from your side? 09:06:01 well there's a bunch of open reviews which would be good to deal with: https://review.opendev.org/#/q/project:openstack/magnum+status:open 09:08:06 brtknr: sure, i will start to review them soon 09:08:17 just had a quick look, most of them are small changes 09:08:49 atm, k8s-atomic is broken on master without this patch: https://review.opendev.org/#/c/745359/ 09:09:20 thats about it really 09:09:27 what do you need to talk about? 09:10:04 brtknr: is the failure of magnum-tempest-plugin-tests-api related? 09:10:39 brtknr: i'd like to propose a patch to support separate CA for etcd and front-proxy 09:10:56 it's a security risk 09:11:52 flwang1: no magnum-tempest-plugin-tests-api only deploys coreos 09:12:04 flwang1: no magnum-tempest-plugin-tests-api only deploys fedora-coreos 09:12:46 flwang1: ok how is it a security risk? 09:13:22 now we're sharing the same ca cert for kubelet, etcd and front-proxy 09:13:35 which means user can use the ca cert in any node to access etcd 09:14:53 but a user that has access to a node also has access to any cert 09:17:49 we're talking about the case that the node is hacked 09:18:39 it's a typical best practice by any k8s install tool or managed services 09:21:17 i can't find the link on k8s doc, i will show you later 09:22:02 flwang1: 09:22:30 i guess it makes sense from the POV of separating CA for kubelet and etcd 09:22:38 since etcd is usually running on master 09:22:50 and normal workload only runs on minions 09:23:09 yes, it's 09:24:31 brtknr: did you get a chance to revisit the ca rotate patch? 09:24:58 I'd like to know more about this too, can share the doc here if you don't mind? 09:25:10 jakeyip: which one? 09:25:37 security best practice of separating certs 09:26:14 https://github.com/kubernetes/kubeadm/issues/710 09:26:42 https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/ 09:30:18 jakeyip: does that make sense? 09:30:49 it's actually quite straighforward to implement 09:31:09 we may need a db schema change to add extra fields 09:34:41 I don't think I'm knowledgable enough to give comments 09:34:59 stupid question - do the minions not need to contact etcd to report in their status? 09:38:50 minions only talk to api server 09:42:53 ok I will need to read up more 09:43:51 what is this etcd used for? 09:44:51 anyway I've got a question if no one is discussing anything else? 09:46:49 re 09:46:51 sure 09:47:40 anyone uses istio? any idea if deploying a service mesh with magnum is a good idea? 09:47:59 flwang1: thanks for reminding me about CA rotate patch, I will take a look at it when I have some free time next week, busy all week this week on a scheduled piece of work Im afraid 09:48:23 brtknr: thanks 09:48:34 jakeyip: we're not using istio yet 09:48:41 jakeyip: ive tried istio last year, the older version seemed to work okay, the newer version i had some issues with 09:48:49 but i'm happy to see if you want to contribute it 09:49:13 brtknr: what kind of issues? 09:49:33 i cant remember, it didnt deploy cleanly 09:49:39 i was just following the docs 09:49:50 flwang1: sure. all these are pretty new to us and is just a question from users for now 09:54:57 anything else? 09:55:03 i'm going to off now 09:57:16 #endmeeting