diff --git a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst index 2079ff680..5e6d396c8 100644 --- a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst +++ b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst @@ -6,6 +6,15 @@ Install Custom Kubernetes Root CA Certificate ============================================= +.. note:: + + The overrides ``k8s_root_ca_cert``, ``k8s_root_ca_key`` and, + ``apiserver_cert_sans`` are planned to be be discontinued in future releases. + External connections to kube-apiserver go through a proxy which uses the + REST API/GUI certificate, issued by the Platform Issuer (system-local-ca). + For instructions on how to configure the Platform Issuer, see `https://docs.starlingx.io/deploy_install_guides/release/ansible_bootstrap_configs.html#platform-issuer-system-local-ca `__. + + By default, the K8S Root |CA| certificate and key are auto-generated and result in the other Kubernetes certificates being signed by an internal not well-known |CA|; for example, for the Kubernetes API server certificate. @@ -53,12 +62,12 @@ must be in |PEM| format and the value must be provided as part of a pair with . .. note:: - + Ensure the certificates have RSA key length >= 2048 bits. The |prod-long| Release |this-ver| provides a new version of ``openssl`` which requires a minimum of 2048-bit keys for RSA for better security / encryption strength. - + You can check the key length by running ``openssl x509 -in -noout -text`` and looking for the "Public-Key" in the output. For more information see :ref:`Create Certificates Locally using openssl `.