MOD: support wildcard DNS for apiserver certSANs #76920
Conversation
k8s-ci-robot
added
kind/feature
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
Hi @sempr. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
area/kubeadm
sig/cluster-lifecycle
k8s-ci-robot
added
cncf-cla: yes
|
@sempr: you cannot LGTM your own PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
|
@sempr: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @timothysc |
k8s-ci-robot
added
the
do-not-merge/hold
There was a problem hiding this comment.
hi, i don't think we want to support wildcards.
the security model of kubeadm is explicitly designed to allow you to only specify a hardcoded list of addresses and domains for a component such as the api server.
see here:
https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1
apiServer:
...
certSANs:
- "10.100.1.1"
- "ec2-10-100-0-1.compute-1.amazonaws.com"
@kubernetes/sig-cluster-lifecycle-pr-reviews
/hold
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@sempr - Can you outline a user story for this? What's the use case? |
@timothysc as is known, a https certs can use wildcard dns names, as an http(2) server, kube-apiserver should support it. let's encrypt also supported wildcard domain names on version 2. A reasonable user case is like this, i have 3 kubernetes masters, m1.masters.k8s.lan, m2.masters.k8s.lan m3.masters.k8s.lan, if one day later i want to add other 2 masters, for example, m4.masters.k8s.lan m5.masters.k8s.lan, i can easily add the wildcard names |
|
@liggitt ^ could I get a hot take on this request from a security perspective? |
|
Is a single certificate/key valid for all the specified SANs already being handed out to all the apiservers? if so, this is not worse, for the set of servers specified. It does have a couple implications users would have to be aware of:
|
|
@liggitt currently only SANs for the local system are baked into the certificate (unless explicitly specified by the user though the kubeadm config). imo, since this is explicitly only enabling users to pass in a wildcard as an additional SAN, while it may not be recommended in most cases, I don't see any reason why we should completely disallow it. |
| allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label: %s", strings.Join(errs, "; ")))) | ||
| if errs2 := validation.IsWildcardDNS1123Subdomain(altname); len(errs2) != 0 { | ||
| if net.ParseIP(altname) == nil { | ||
| allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) |
There was a problem hiding this comment.
please change:
...a valid IP address or DNS label or Wildcard DNS label....
to
...not a valid IP address, DNS label or a DNS label with subdomain wildcards....
There was a problem hiding this comment.
done
| allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) | |
| allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) |
|
/priority important-longterm |
k8s-ci-robot
added
priority/important-longterm
timothysc
removed
the
do-not-merge/hold
|
please add a release note instead of NONE: |
k8s-ci-robot
added
release-note
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sempr, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
the
lgtm
|
/retest |
1 similar comment
|
/retest |
What type of PR is this?
/kind feature
What this PR does / why we need it:
It support wildcard certSANs for apiServer, the same as the normal https certificates.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
NONE