Skip to content

docs: clarify matching behavior for --peer-cert-allowed-cn and --cert-allowed-hostname flags#1171

Open
AshrafAhmed9 wants to merge 2 commits into
etcd-io:mainfrom
AshrafAhmed9:clarify-cert-flag-matching
Open

docs: clarify matching behavior for --peer-cert-allowed-cn and --cert-allowed-hostname flags#1171
AshrafAhmed9 wants to merge 2 commits into
etcd-io:mainfrom
AshrafAhmed9:clarify-cert-flag-matching

Conversation

@AshrafAhmed9
Copy link
Copy Markdown

@AshrafAhmed9 AshrafAhmed9 commented Jun 3, 2026

Closes #1062

Summary

Adds two clarifying sentences to the --peer-cert-allowed-cn section of the security documentation (v3.5, v3.6, v3.7) to explain the exact matching semantics:

  • --peer-cert-allowed-cn performs an exact string comparison against the certificate's Common Name (CN) field — no wildcards or prefix matching is supported.
    • --peer-cert-allowed-hostname and --client-cert-allowed-hostname use Go's x509.Certificate.VerifyHostname(), which supports both exact hostnames and wildcard entries (e.g. *.example.com).
      This distinction was not previously documented and caused confusion for users who expected wildcard support in the CN flag.

Files Changed

  • content/en/docs/v3.5/op-guide/security.md
    • content/en/docs/v3.6/op-guide/security.md
    • content/en/docs/v3.7/op-guide/security.md

@AshrafAhmed9
docs: clarify matching behavior for cert-allowed-cn and cert-allowed-…
8fdd049 
…hostname flags

Signed-off-by: ashrafahmed9 <ashrafahmed1232@gmail.com>
@AshrafAhmed9
docs: clarify matching behavior for cert-allowed-cn and cert-allowed-…
14a6f9b 
…hostname flags

Signed-off-by: ashrafahmed9 <ashrafahmed1232@gmail.com>
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Jun 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AshrafAhmed9
Once this PR has been reviewed and has the lgtm label, please assign wenjiaswe for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Jun 3, 2026

Hi @AshrafAhmed9. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@AshrafAhmed9 AshrafAhmed9 mentioned this pull request Jun 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ok-to-test size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clarify what "match" means for --*-cert-allowed-{cn/hostname} flags

2 participants

@AshrafAhmed9 @k8s-ci-robot