-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ip addresses into kubelet certs #12188
Conversation
/retest |
0a6b1a9
to
4dc67d8
Compare
@johngmyers Could you take a look at this PR, please? |
What is the reason for adding the IP addresses to the kubelet-server cert? The concern I have is that when there are two services with the same IP in their respective SANs, a client using that IP to talk to one can be tricked into talking to the other. There are clients that use IP addresses to talk to kube-apiserver, so they could then be redirected to talk to kubelet instead. |
Sorry, for the lack of explanation. I put it in the commit, but it didn't make it into the PR. The challenge is that there is no host DNS record for ipv6. So if you have an ipv6-only pod (say metrics-server) that wants to talk to kubelet, it cannot verify the TLS cert. So either such Pods would need host networking or we would need to put IPs in the certificate. I find the latter more safe than the former. Upstream is also fond of using IPs before hostname. https://github.com/kubernetes-sigs/metrics-server/blob/master/manifests/base/deployment.yaml#L26 |
@@ -232,8 +232,14 @@ func (a awsVerifier) VerifyToken(token string, body []byte) (*fi.VerifyResult, e | |||
|
|||
instance := instances.Reservations[0].Instances[0] | |||
|
|||
addrs, err := GetInstanceCertificateNames(a.ec2, instanceID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new function calls DescribeInstances
even though DescribeInstances
was just called a few lines above. Maybe it could be refactored to provide the DescribeInstancesOutput
so it only needs to be called once here? and then kubeletNames
can call DescribeInstances
separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Since AWS does not resolve instance hostnames to ipv6, ipv6-only pods that talk to kubelet API has to use node IP, not hostname. Thus we need to add IPs to kubelet server cert.
4dc67d8
to
ad16042
Compare
this LGTM pending @johngmyers's feedback |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't give kube-apiserver the node IP addresses anyway, so there's no overlap.
It's unfortunate AWS doesn't include a AAAA record for the instance's domain.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
return nil, err | ||
} | ||
|
||
addrs, _ := net.LookupHost(name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably putting too much trust in the DNS. It would be much better to get the IP addresses from cloud APIs, like we do for AWS.
No description provided.