Skip to content

Commit

Permalink
Add new CLI flag to enable TLS SAN CN filtering
Browse files Browse the repository at this point in the history 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
  • Loading branch information
@brandond
brandond committed Aug 29, 2023
1 parent 8d6483a commit f365a9c
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 2 deletions.
6 changes: 6 additions & 0 deletions pkg/cli/cmds/server.go
View file
Expand Up @@ -47,6 +47,7 @@ type Server struct {
KubeConfigMode string
HelmJobImage string
TLSSan cli.StringSlice
TLSSanSecurity bool
BindAddress string
EnablePProf bool
ExtraAPIArgs cli.StringSlice
Expand Down Expand Up @@ -202,6 +203,11 @@ var ServerFlags = []cli.Flag{
Usage: "(listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert",
Value: &ServerConfig.TLSSan,
},
&cli.BoolFlag{
Name: "tls-san-security",
Usage: "(listener) Protect the server TLS cert by refusing to add Subject Alternative Names not associated with the kubernetes apiserver service, server nodes, or values of the tls-san option (default: false)",
Destination: &ServerConfig.TLSSanSecurity,
},
DataDirFlag,
ClusterCIDR,
ServiceCIDR,
Expand Down
1 change: 1 addition & 0 deletions pkg/cli/server/server.go
View file
Expand Up @@ -132,6 +132,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
serverConfig.ControlConfig.Rootless = cfg.Rootless
serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
serverConfig.ControlConfig.SANs = util.SplitStringSlice(cfg.TLSSan)
serverConfig.ControlConfig.SANSecurity = cfg.TLSSanSecurity
serverConfig.ControlConfig.BindAddress = cfg.BindAddress
serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort
serverConfig.ControlConfig.HTTPSPort = cfg.HTTPSPort
Expand Down
6 changes: 4 additions & 2 deletions pkg/cluster/https.go
View file
Expand Up @@ -52,8 +52,10 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler,
return nil, nil, err
}
c.config.SANs = append(c.config.SANs, "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc."+c.config.ClusterDomain)
c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) {
registerAddressHandlers(ctx, c)
if c.config.SANSecurity {
c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) {
registerAddressHandlers(ctx, c)
}
}
storage := tlsStorage(ctx, c.config.DataDir, c.config.Runtime)
return wrapHandler(dynamiclistener.NewListenerWithChain(tcp, storage, certs, key, dynamiclistener.Config{
Expand Down
1 change: 1 addition & 0 deletions pkg/daemons/config/types.go
View file
Expand Up @@ -221,6 +221,7 @@ type Control struct {

BindAddress string
SANs []string
SANSecurity bool
PrivateIP string
Runtime *ControlRuntime `json:"-"`
}
Expand Down

0 comments on commit f365a9c

Please sign in to comment.