New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client-go: make generating certificate/key permissions more restrictive (600) #115472
client-go: make generating certificate/key permissions more restrictive (600) #115472
Conversation
Welcome @lanycrost! |
Hi @lanycrost. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-sig api-machinery |
/remove-sig api-machinery |
/ok-to-test |
/assign @enj |
looks like there's a unit test explicitly checking the old values that needs updating:
|
return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) | ||
} | ||
if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { | ||
if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0600); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only change in this PR I think we should consider.
That said, this code path is producing fixture files to get checked in to source control... I don't have a good sense for how a user-only readable file will behave in systems where one actor is checking out from source control and another is running the tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading further, it looks like git only tracks the executable bit, and group/other permissions are solely governed by the user's umask when checking out.
That means that generating this with 0600 will likely produce fixtures with 0600 permissions, but that once they are committed and checked out, the file permissions will likely still be 0644. But since they are test fixture files being committed to source, that doesn't really matter anyway.
staging/src/k8s.io/client-go/util/certificate/certificate_store.go
Outdated
Show resolved
Hide resolved
/retest |
@liggitt Thanks for your valuable review. Regarding the fixture files, I understand your concern about user-only readable files and how they may behave in systems with multiple actors. It may be worthwhile to explore alternative approaches, such as generating the fixture files on the fly during testing, or having separate fixture files for each one. If I'm getting you right. |
Generating fixtures on the fly for unit tests was expensive on underpowered CI systems and led to problems. The fixtures this leads to are things like https://github.com/kubernetes/kubernetes/tree/master/cmd/kube-apiserver/app/testing/testdata which are never used in the context of a server which can be used to create real executing workloads, only unit/integration tests which are immediately torn down and deleted. |
/lgtm |
LGTM label has been added. Git tree hash: 79e28f126fd0b1d7749bfd85a831014cbc8afa54
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lanycrost, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/triage accepted |
What type of PR is this?
/kind bug
What this PR does / why we need it:
GenerateSelfSignedCertKeyWithFixtures
function as well as in other places keys and certificates and directories will be generated with more restrictive permissions.Which issue(s) this PR fixes:
Fixes #110992
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
apiserver generated self-signed certificate permissions will be more restrictive