-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add client-ca to configmap in kube-public #41814
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED The following people have approved this PR: deads2k Needs approval from an approver in each of these OWNERS Files:
We suggest the following people: |
pkg/master/client_ca_hook.go
Outdated
} | ||
data := map[string]string{ | ||
"front-proxy-ca.crt": string(h.FrontProxyCA), | ||
"front-proxy-allowed-names": string(serializedNames), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is half of the information required for front-proxy config... do we really want to stitch together the header names from args to the UAS with information from here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this also means write permission to this object is escalating
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this also means write permission to this object is escalating
So is the client-ca one. If you control the trusted cert and can write it to match a key you own, it's done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is half of the information required for front-proxy config... do we really want to stitch together the header names from args to the UAS with information from here?
More crisply, are you asking for all the --request-header-*
options?
pkg/master/client_ca_hook.go
Outdated
} | ||
|
||
if len(h.ClientCA) > 0 { | ||
if err := writePublicClientCert(client, "client-ca", map[string]string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are several components that take client-ca config... this assumes they all use the same one. is that a good assumption?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are several components that take client-ca config... this assumes they all use the same one. is that a good assumption?
Open to an alternate name.
pkg/master/client_ca_hook.go
Outdated
|
||
// writeClientCAs is here for unit testing with a fake client | ||
func (h ClientCARegistrationHook) writeClientCAs(client coreclient.CoreInterface) { | ||
if _, err := client.Namespaces().Create(&api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: metav1.NamespacePublic}}); err != nil && !apierrors.IsAlreadyExists(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do these need to be in kube-public? delegating servers will already need credentials allowed to run SubjectAccessReview/TokenReview checks... can we limit the exposure of this info to those users?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we limit the exposure of this info to those users?
Which namespace would you like it in?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do these need to be in kube-public?
They could really go anywhere, but the whole point of a public key is that it can be public. Why would they live somewhere else?
@liggitt made it |
/release-note-none |
keys and contents of the configmap LGTM |
cmd/kube-apiserver/app/server.go
Outdated
@@ -314,9 +315,26 @@ func Run(s *options.ServerRunOptions) error { | |||
return err | |||
} | |||
|
|||
clientCA, err := readCAIfPresent(s.Authentication.ClientCert.ClientCA) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will this throw some kind of NotFound error? It should.
cmd/kube-apiserver/app/server.go
Outdated
@@ -354,6 +372,13 @@ func Run(s *options.ServerRunOptions) error { | |||
return nil | |||
} | |||
|
|||
func readCAIfPresent(file string) ([]byte, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IfPresent = len != 0. Unexpected. Maybe readCAorNil
would be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Automatic merge from submit-queue |
Automatic merge from submit-queue Add namespaced role to inspect particular configmap for delegated authentication Builds on #41814 and #41922 (those are already lgtm'ed) with the ultimate goal of making an extension API server zero-config for "normal" authentication cases. This part creates a namespace role in `kube-system` that can *only* look the configmap which gives the delegated authentication check. When a cluster-admin grants the SA running the extension API server the power to run delegated authentication checks, he should also bind this role in this namespace. @sttts Should we add a flag to aggregated API servers to indicate they want to look this up so they can crashloop on startup? The alternative is sometimes having it and sometimes not. I guess we could try to key on explicit "disable front-proxy" which may make more sense. @kubernetes/sig-api-machinery-misc @ncdc I spoke to @liggitt about this before he left and he was ok in concept. Can you take a look at the details?
Client CA information is not secret and it's required for any API server trying to terminate a TLS connection. This pull adds the information to configmaps in
kube-public
that look like this:@kubernetes/sig-auth-api-reviews @liggitt @kubernetes/sig-api-machinery-pr-reviews @lavalamp @sttts
There will need to be a corresponding pull for permissions