Merge pull request #1 from digitalocean/wwarren/validate-CSR-CN-by-CS…

…R-username Validate CSR CN against CSR.Spec.Username
digitalocean · Aug 27, 2019 · 59d8c78 · 59d8c78
2 parents 602e5db + 6986f09
commit 59d8c78
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go b/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go
@@ -129,16 +129,16 @@ func (r *ReconcileCertificateSigningRequest) Reconcile(request reconcile.Request
 		}
 
 		if approved {
-			log.Printf("approving csr %s with SANS: %s, IP Address:%s\n", csr.ObjectMeta.Name, x509cr.DNSNames, x509cr.IPAddresses)
+			log.Printf("approving csr %s with SANs: %s, IP Addresses:%s\n", csr.ObjectMeta.Name, x509cr.DNSNames, x509cr.IPAddresses)
 			appendApprovalCondition(csr, recognizer.successMessage)
 			_, err = r.clientset.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(csr)
 			if err != nil {
 				log.Printf("error updating approval for csr: %v\n", err)
 				return reconcile.Result{}, fmt.Errorf("error updating approval for csr: %v", err)
 			}
 		} else {
-			log.Printf("SubjectAccessReview not succesfull for CSR %s\n", request.NamespacedName)
-			return reconcile.Result{}, fmt.Errorf("SubjectAccessReview not succesfull")
+			log.Printf("SubjectAccessReview not successful for CSR %s\n", request.NamespacedName)
+			return reconcile.Result{}, fmt.Errorf("SubjectAccessReview failed")
 		}
 
 		return reconcile.Result{}, nil
@@ -179,7 +179,7 @@ func (r *ReconcileCertificateSigningRequest) authorize(csr *capi.CertificateSign
 func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string) {
 	csr.Status.Conditions = append(csr.Status.Conditions, capi.CertificateSigningRequestCondition{
 		Type:    capi.CertificateApproved,
-		Reason:  "AutoApproved",
+		Reason:  "AutoApproved by kubelet-rubber-stamp",
 		Message: message,
 	})
 }
diff --git a/pkg/controller/certificatesigningrequest/helpers.go b/pkg/controller/certificatesigningrequest/helpers.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"log"
 	"reflect"
-	"strings"
 
 	capi "k8s.io/api/certificates/v1beta1"
 )
@@ -80,8 +79,8 @@ func isNodeServingCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certifi
 		log.Println("Usage does not match")
 		return false
 	}
-	if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
-		log.Printf("CN does not match: %s\n", x509cr.Subject.CommonName)
+	if csr.Spec.Username != x509cr.Subject.CommonName {
+		log.Println("x509 CN %q doesn't match CSR username %q", x509cr.Subject.CommonName, csr.Spec.Username)
 		return false
 	}
 	return true