Bump RSA key size to 3072-bits to meet German federal BSI Technical Guideline TR-02102-2

[randomvariable]

What steps did you take and what happened?

Use kubeadmcontrolplane

What did you expect to happen?

This would have been a feature request, but as of 2024/1/1 this is now a bug. Germany's BSI (Federal Office for Information Security) requires government systems to use at least 3000 bit RSA keys since 2024/1/1. This means that kubeadm cannot meet federal security standards as the 2048-bit RSA key length is hardcoded.

3000+ bit keys are considered good until 2030.

Recommend changing the default to 3072-bits. This should have no impact on existing clusters.

Cluster API version

main / v1.6.1

Kubernetes version

N/A

Anything else you would like to add?

No other deltas with the standard were found.

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=10

Label(s) to be applied

/kind bug
One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels.

[k8s-ci-robot]

This issue is currently awaiting triage.

If CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[randomvariable]

Kubeadm bug here: kubernetes/kubeadm#3003

[randomvariable]

Discussion in Slack suggests that we should provide options rather than change defaults, and encourage people to go to elliptic curve where possible.

[fabriziopandini]

/priority important-longterm

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[sbueringer]

/remove-lifecycle stale
/lifecycle frozen

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale