/
certificatesigningrequest_controller.go
184 lines (157 loc) · 6.46 KB
/
certificatesigningrequest_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
package certificatesigningrequest
import (
"context"
"crypto/x509"
"fmt"
authorization "k8s.io/api/authorization/v1beta1"
capi "k8s.io/api/certificates/v1beta1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/klog"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
)
// Tries to recognize CSRs that are specific to this use case
type csrRecognizer struct {
recognize func(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool
permission authorization.ResourceAttributes
successMessage string
}
func recognizers() []csrRecognizer {
recognizers := []csrRecognizer{
{
recognize: isNodeServingCert,
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create"},
successMessage: "Auto approving kubelet serving certificate after SubjectAccessReview.",
},
}
return recognizers
}
// Add creates a new CertificateSigningRequest Controller and adds it to the Manager. The Manager will set fields on the Controller
// and Start it when the Manager is Started.
func Add(mgr manager.Manager) error {
return add(mgr, newReconciler(mgr))
}
// newReconciler returns a new reconcile.Reconciler
func newReconciler(mgr manager.Manager) reconcile.Reconciler {
return &ReconcileCertificateSigningRequest{client: mgr.GetClient(), scheme: mgr.GetScheme(), clientset: clientset.NewForConfigOrDie(mgr.GetConfig())}
}
// add adds a new Controller to mgr with r as the reconcile.Reconciler
func add(mgr manager.Manager, r reconcile.Reconciler) error {
// Create a new controller
c, err := controller.New("certificatesigningrequest-controller", mgr, controller.Options{Reconciler: r})
if err != nil {
return err
}
// Watch for changes to primary resource CertificateSigningRequest
err = c.Watch(&source.Kind{Type: &capi.CertificateSigningRequest{}}, &handler.EnqueueRequestForObject{})
if err != nil {
return err
}
return nil
}
var _ reconcile.Reconciler = &ReconcileCertificateSigningRequest{}
// ReconcileCertificateSigningRequest reconciles a CertificateSigningRequest object
type ReconcileCertificateSigningRequest struct {
// This client, initialized using mgr.Client() above, is a split client
// that reads objects from the cache and writes to the apiserver
client client.Client
scheme *runtime.Scheme
// Helper client wrapper
clientset clientset.Interface
}
// Reconcile reads that state of the cluster for a CertificateSigningRequest object and makes changes based on the state read
// and what is in the CertificateSigningRequest.Spec
// The Controller will requeue the Request to be processed again if the returned error is non-nil or
// Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
func (r *ReconcileCertificateSigningRequest) Reconcile(request reconcile.Request) (reconcile.Result, error) {
klog.V(2).Infof("Reconciling CertificateSigningRequest %s/%s", request.Namespace, request.Name)
// Fetch the CertificateSigningRequest instance
csr := &capi.CertificateSigningRequest{}
err := r.client.Get(context.TODO(), request.NamespacedName, csr)
if err != nil {
if errors.IsNotFound(err) {
// Request object not found, could have been deleted after reconcile request.
// Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
// Return and don't requeue
return reconcile.Result{}, nil
}
// Error reading the object - requeue the request.
return reconcile.Result{}, err
}
if len(csr.Status.Certificate) != 0 {
klog.V(2).Info("CSR already has a certificate, ignoring")
return reconcile.Result{}, nil
}
if approved, denied := getCertApprovalCondition(&csr.Status); approved || denied {
klog.V(2).Infof("CSR already has a approval status: %v", csr.Status)
return reconcile.Result{}, nil
}
x509cr, err := parseCSR(csr)
if err != nil {
return reconcile.Result{}, fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
}
tried := []string{}
for _, recognizer := range recognizers() {
tried = append(tried, recognizer.permission.Resource)
if !recognizer.recognize(csr, x509cr) {
continue
}
approved, err := r.authorize(csr, recognizer.permission)
if err != nil {
klog.Warningf("SubjectAccessReview failed: %s", err)
return reconcile.Result{}, err
}
if approved {
klog.V(2).Infof("approving csr %s with SANs: %s, IP Addresses:%s", csr.ObjectMeta.Name, x509cr.DNSNames, x509cr.IPAddresses)
appendApprovalCondition(csr, recognizer.successMessage)
_, err = r.clientset.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(csr)
if err != nil {
klog.Warningf("error updating approval for csr: %v", err)
return reconcile.Result{}, fmt.Errorf("error updating approval for csr: %v", err)
}
} else {
klog.Warningf("SubjectAccessReview not successful for CSR %s", request.NamespacedName)
return reconcile.Result{}, fmt.Errorf("SubjectAccessReview failed")
}
return reconcile.Result{}, nil
}
if len(tried) != 0 {
klog.Warningf("csr %s not recognized as kubelet serving csr, tried: %v", csr.Name, tried)
return reconcile.Result{}, nil
}
return reconcile.Result{}, nil
}
// Validate that the given node has authorization to actualy create CSRs
func (r *ReconcileCertificateSigningRequest) authorize(csr *capi.CertificateSigningRequest, rattrs authorization.ResourceAttributes) (bool, error) {
extra := make(map[string]authorization.ExtraValue)
for k, v := range csr.Spec.Extra {
extra[k] = authorization.ExtraValue(v)
}
sar := &authorization.SubjectAccessReview{
Spec: authorization.SubjectAccessReviewSpec{
User: csr.Spec.Username,
UID: csr.Spec.UID,
Groups: csr.Spec.Groups,
Extra: extra,
ResourceAttributes: &rattrs,
},
}
sar, err := r.clientset.AuthorizationV1beta1().SubjectAccessReviews().Create(sar)
if err != nil {
return false, err
}
return sar.Status.Allowed, nil
}
func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string) {
csr.Status.Conditions = append(csr.Status.Conditions, capi.CertificateSigningRequestCondition{
Type: capi.CertificateApproved,
Reason: "AutoApproved by kubelet-rubber-stamp",
Message: message,
})
}