Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: add validation to verify that the CertificateKey is a valid hex encoded AES key #120064

Merged
merged 1 commit into from Aug 20, 2023
Merged

kubeadm: add validation to verify that the CertificateKey is a valid hex encoded AES key #120064

merged 1 commit into from Aug 20, 2023

Conversation

SataQiu
Copy link
Member

@SataQiu SataQiu commented Aug 19, 2023

What type of PR is this?

/kind feature

What this PR does / why we need it:

kubeadm: add validation to verify that the CertificateKey is a valid hex encoded AES key

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

kubeadm: add validation to verify that the CertificateKey is a valid hex encoded AES key

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 19, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 19, 2023
neolit123
neolit123 reviewed Aug 19, 2023
View reviewed changes
cmd/kubeadm/app/apis/kubeadm/validation/validation.go Outdated

k := len(decodedKey)
switch k {
case 16, 24, 32:
Copy link
Member

@neolit123 neolit123 Aug 19, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

our util is flexible to allow various key sizes:

kubernetes/cmd/kubeadm/app/util/crypto/crypto.go

Line 38 in eae63c8

func EncryptBytes(data, key []byte) ([]byte, error) {

but we do hardcode the required (security wize, default) size to 32 bytes only.

kubernetes/cmd/kubeadm/app/phases/copycerts/copycerts.go

Line 81 in eae63c8

randBytes, err := cryptoutil.CreateRandBytes(kubeadmconstants.CertificateKeySize)

here in the validation we can do:

	if len(decodedKey) != kubeadmconstants.CertificateKeySize {
		allErrs = append(allErrs, field.Invalid(fldPath, certificateKey, fmt.Sprintf("invalid certificate key size %d, the key must be an AES key of size %d", k, kubeadmconstants.CertificateKeySize)))

one issue around DecryptBytes is that i don't see size validation impleneted already for it. this means users could have written a valid AES key with smaller size and it would have worked. ..and that's why the comments about validation.go were left i guess.

the main point is that kubeadm by default generates 32 bytes, which is secure.

i think we should just error for size != 32.

neolit123
neolit123 reviewed Aug 20, 2023
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/retest

please check the extra args v1beta4 pr when you can.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 20, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: bff1f3edc14d92db160aed6dd9cec3e6ada6c092

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, SataQiu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 5b21674 into kubernetes:master Aug 20, 2023
12 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Aug 20, 2023
@SataQiu SataQiu mentioned this pull request Aug 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@chendave chendave Awaiting requested review from chendave

@fabriziopandini fabriziopandini Awaiting requested review from fabriziopandini

Assignees

@neolit123 neolit123

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@SataQiu @k8s-ci-robot @neolit123