-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MOD: support wildcard DNS for apiserver certSANs #76920
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Hi @sempr. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sempr: you cannot LGTM your own PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
@sempr: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @timothysc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi, i don't think we want to support wildcards.
the security model of kubeadm is explicitly designed to allow you to only specify a hardcoded list of addresses and domains for a component such as the api server.
see here:
https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1
apiServer:
...
certSANs:
- "10.100.1.1"
- "ec2-10-100-0-1.compute-1.amazonaws.com"
@kubernetes/sig-cluster-lifecycle-pr-reviews
/hold
/ok-to-test |
@sempr - Can you outline a user story for this? What's the use case? |
@timothysc as is known, a https certs can use wildcard dns names, as an http(2) server, kube-apiserver should support it. let's encrypt also supported wildcard domain names on version 2. A reasonable user case is like this, i have 3 kubernetes masters, m1.masters.k8s.lan, m2.masters.k8s.lan m3.masters.k8s.lan, if one day later i want to add other 2 masters, for example, m4.masters.k8s.lan m5.masters.k8s.lan, i can easily add the wildcard names |
@liggitt ^ could I get a hot take on this request from a security perspective? |
Is a single certificate/key valid for all the specified SANs already being handed out to all the apiservers? if so, this is not worse, for the set of servers specified. It does have a couple implications users would have to be aware of:
|
@liggitt currently only SANs for the local system are baked into the certificate (unless explicitly specified by the user though the kubeadm config). imo, since this is explicitly only enabling users to pass in a wildcard as an additional SAN, while it may not be recommended in most cases, I don't see any reason why we should completely disallow it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sempr
please address the minor comment bellow.
looks like we are leaning towards +1 here.
allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label: %s", strings.Join(errs, "; ")))) | ||
if errs2 := validation.IsWildcardDNS1123Subdomain(altname); len(errs2) != 0 { | ||
if net.ParseIP(altname) == nil { | ||
allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please change:
...a valid IP address or DNS label or Wildcard DNS label....
to
...not a valid IP address, DNS label or a DNS label with subdomain wildcards....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) | |
allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) |
/priority important-longterm |
please add a release note instead of NONE: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sempr, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest |
1 similar comment
/retest |
What type of PR is this?
/kind feature
What this PR does / why we need it:
It support wildcard certSANs for apiServer, the same as the normal https certificates.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
NONE