From 887c860c14e42ca2d36ea6b515aad746396c7e4a Mon Sep 17 00:00:00 2001 From: Wayne Warren Date: Mon, 19 Aug 2019 20:42:01 +0000 Subject: [PATCH 1/3] nitpick spelling & semantics --- .../certificatesigningrequest_controller.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go b/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go index 8c5050e..c249323 100644 --- a/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go +++ b/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go @@ -129,7 +129,7 @@ func (r *ReconcileCertificateSigningRequest) Reconcile(request reconcile.Request } if approved { - log.Printf("approving csr %s with SANS: %s, IP Address:%s\n", csr.ObjectMeta.Name, x509cr.DNSNames, x509cr.IPAddresses) + log.Printf("approving csr %s with SANs: %s, IP Addresses:%s\n", csr.ObjectMeta.Name, x509cr.DNSNames, x509cr.IPAddresses) appendApprovalCondition(csr, recognizer.successMessage) _, err = r.clientset.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(csr) if err != nil { @@ -137,8 +137,8 @@ func (r *ReconcileCertificateSigningRequest) Reconcile(request reconcile.Request return reconcile.Result{}, fmt.Errorf("error updating approval for csr: %v", err) } } else { - log.Printf("SubjectAccessReview not succesfull for CSR %s\n", request.NamespacedName) - return reconcile.Result{}, fmt.Errorf("SubjectAccessReview not succesfull") + log.Printf("SubjectAccessReview not successful for CSR %s\n", request.NamespacedName) + return reconcile.Result{}, fmt.Errorf("SubjectAccessReview failed") } return reconcile.Result{}, nil From c0adcab292342b7c51f806e195f3f67973e0a60a Mon Sep 17 00:00:00 2001 From: Wayne Warren Date: Mon, 19 Aug 2019 20:42:54 +0000 Subject: [PATCH 2/3] implicate kubelet-rubber-stamp in CertificateApproved reason --- .../certificatesigningrequest_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go b/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go index c249323..07558a2 100644 --- a/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go +++ b/pkg/controller/certificatesigningrequest/certificatesigningrequest_controller.go @@ -179,7 +179,7 @@ func (r *ReconcileCertificateSigningRequest) authorize(csr *capi.CertificateSign func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string) { csr.Status.Conditions = append(csr.Status.Conditions, capi.CertificateSigningRequestCondition{ Type: capi.CertificateApproved, - Reason: "AutoApproved", + Reason: "AutoApproved by kubelet-rubber-stamp", Message: message, }) } From 6986f09a1f0ddfdbd84b866b457fd4a9508f77d0 Mon Sep 17 00:00:00 2001 From: Wayne Warren Date: Mon, 26 Aug 2019 16:23:48 +0000 Subject: [PATCH 3/3] Validate CSR CN against CSR.Spec.Username --- pkg/controller/certificatesigningrequest/helpers.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/controller/certificatesigningrequest/helpers.go b/pkg/controller/certificatesigningrequest/helpers.go index fa99e9b..389f700 100644 --- a/pkg/controller/certificatesigningrequest/helpers.go +++ b/pkg/controller/certificatesigningrequest/helpers.go @@ -6,7 +6,6 @@ import ( "errors" "log" "reflect" - "strings" capi "k8s.io/api/certificates/v1beta1" ) @@ -80,8 +79,8 @@ func isNodeServingCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certifi log.Println("Usage does not match") return false } - if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") { - log.Printf("CN does not match: %s\n", x509cr.Subject.CommonName) + if csr.Spec.Username != x509cr.Subject.CommonName { + log.Println("x509 CN %q doesn't match CSR username %q", x509cr.Subject.CommonName, csr.Spec.Username) return false } return true