From f365a9cb98f2e2dd5bd2fdf526c0c7d2fcbb0bae Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Mon, 28 Aug 2023 20:39:21 +0000 Subject: [PATCH] Add new CLI flag to enable TLS SAN CN filtering Signed-off-by: Brad Davidson --- pkg/cli/cmds/server.go | 6 ++++++ pkg/cli/server/server.go | 1 + pkg/cluster/https.go | 6 ++++-- pkg/daemons/config/types.go | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go index 34eb21d4732c..8e35153ddcf3 100644 --- a/pkg/cli/cmds/server.go +++ b/pkg/cli/cmds/server.go @@ -47,6 +47,7 @@ type Server struct { KubeConfigMode string HelmJobImage string TLSSan cli.StringSlice + TLSSanSecurity bool BindAddress string EnablePProf bool ExtraAPIArgs cli.StringSlice @@ -202,6 +203,11 @@ var ServerFlags = []cli.Flag{ Usage: "(listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert", Value: &ServerConfig.TLSSan, }, + &cli.BoolFlag{ + Name: "tls-san-security", + Usage: "(listener) Protect the server TLS cert by refusing to add Subject Alternative Names not associated with the kubernetes apiserver service, server nodes, or values of the tls-san option (default: false)", + Destination: &ServerConfig.TLSSanSecurity, + }, DataDirFlag, ClusterCIDR, ServiceCIDR, diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go index aae018f20ce4..62009a98308c 100644 --- a/pkg/cli/server/server.go +++ b/pkg/cli/server/server.go @@ -132,6 +132,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont serverConfig.ControlConfig.Rootless = cfg.Rootless serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace serverConfig.ControlConfig.SANs = util.SplitStringSlice(cfg.TLSSan) + serverConfig.ControlConfig.SANSecurity = cfg.TLSSanSecurity serverConfig.ControlConfig.BindAddress = cfg.BindAddress serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort serverConfig.ControlConfig.HTTPSPort = cfg.HTTPSPort diff --git a/pkg/cluster/https.go b/pkg/cluster/https.go index d2fca0f809b1..71aafe180bb1 100644 --- a/pkg/cluster/https.go +++ b/pkg/cluster/https.go @@ -52,8 +52,10 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler, return nil, nil, err } c.config.SANs = append(c.config.SANs, "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc."+c.config.ClusterDomain) - c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) { - registerAddressHandlers(ctx, c) + if c.config.SANSecurity { + c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) { + registerAddressHandlers(ctx, c) + } } storage := tlsStorage(ctx, c.config.DataDir, c.config.Runtime) return wrapHandler(dynamiclistener.NewListenerWithChain(tcp, storage, certs, key, dynamiclistener.Config{ diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index 9034b1b334be..8391a0ae1a0a 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -221,6 +221,7 @@ type Control struct { BindAddress string SANs []string + SANSecurity bool PrivateIP string Runtime *ControlRuntime `json:"-"` }