-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump RSA key size to 3072-bits to meet German federal BSI Technical Guideline TR-02102-2 #10077
Comments
This issue is currently awaiting triage. If CAPI contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Kubeadm bug here: kubernetes/kubeadm#3003 |
Discussion in Slack suggests that we should provide options rather than change defaults, and encourage people to go to elliptic curve where possible. |
/priority important-longterm |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
What steps did you take and what happened?
Use kubeadmcontrolplane
What did you expect to happen?
This would have been a feature request, but as of 2024/1/1 this is now a bug. Germany's BSI (Federal Office for Information Security) requires government systems to use at least 3000 bit RSA keys since 2024/1/1. This means that kubeadm cannot meet federal security standards as the 2048-bit RSA key length is hardcoded.
3000+ bit keys are considered good until 2030.
Recommend changing the default to 3072-bits. This should have no impact on existing clusters.
Cluster API version
main / v1.6.1
Kubernetes version
N/A
Anything else you would like to add?
No other deltas with the standard were found.
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10
Label(s) to be applied
/kind bug
One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels.
The text was updated successfully, but these errors were encountered: