Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.26] Add new CLI flag to enable TLS SAN CN filtering #8258

Merged
merged 1 commit into from Aug 29, 2023
Merged

[release-1.26] Add new CLI flag to enable TLS SAN CN filtering #8258

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions pkg/cli/cmds/server.go
View file
Open in desktop
Expand Up @@ -47,6 +47,7 @@ type Server struct {
KubeConfigMode string
HelmJobImage string
TLSSan cli.StringSlice
TLSSanSecurity bool
BindAddress string
EnablePProf bool
ExtraAPIArgs cli.StringSlice
Expand Down Expand Up @@ -202,6 +203,11 @@ var ServerFlags = []cli.Flag{
Usage: "(listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert",
Value: &ServerConfig.TLSSan,
},
&cli.BoolFlag{
Name: "tls-san-security",
Usage: "(listener) Protect the server TLS cert by refusing to add Subject Alternative Names not associated with the kubernetes apiserver service, server nodes, or values of the tls-san option (default: false)",
Destination: &ServerConfig.TLSSanSecurity,
},
DataDirFlag,
ClusterCIDR,
ServiceCIDR,
Expand Down
1 change: 1 addition & 0 deletions pkg/cli/server/server.go
View file
Open in desktop
Expand Up @@ -132,6 +132,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
serverConfig.ControlConfig.Rootless = cfg.Rootless
serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
serverConfig.ControlConfig.SANs = util.SplitStringSlice(cfg.TLSSan)
serverConfig.ControlConfig.SANSecurity = cfg.TLSSanSecurity
serverConfig.ControlConfig.BindAddress = cfg.BindAddress
serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort
serverConfig.ControlConfig.HTTPSPort = cfg.HTTPSPort
Expand Down
6 changes: 4 additions & 2 deletions pkg/cluster/https.go
View file
Open in desktop
Expand Up @@ -52,8 +52,10 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler,
return nil, nil, err
}
c.config.SANs = append(c.config.SANs, "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc."+c.config.ClusterDomain)
c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) {
registerAddressHandlers(ctx, c)
if c.config.SANSecurity {
c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) {
registerAddressHandlers(ctx, c)
}
}
storage := tlsStorage(ctx, c.config.DataDir, c.config.Runtime)
return wrapHandler(dynamiclistener.NewListenerWithChain(tcp, storage, certs, key, dynamiclistener.Config{
Expand Down
1 change: 1 addition & 0 deletions pkg/daemons/config/types.go
View file
Open in desktop
Expand Up @@ -222,6 +222,7 @@ type Control struct {

BindAddress string
SANs []string
SANSecurity bool
PrivateIP string
Runtime *ControlRuntime `json:"-"`
}
Expand Down