Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Never approve CSR if --bypass-dns-resolution is specified #253

Closed
kariya-mitsuru opened this issue May 16, 2024 · 5 comments
Closed

Never approve CSR if --bypass-dns-resolution is specified #253

kariya-mitsuru opened this issue May 16, 2024 · 5 comments
Assignees
@clementnuss

Comments

@kariya-mitsuru
Copy link

After updating to 1.2.0, the following error message appeared and CSRs were not approved.

Denying kubelet-serving CSR. DNS checks failed. Reason:One of the SAN IP addresses, xxx.xxx.xxx.xxx, is not contained in the set of resolved IP addresses, denying the CSR.

In my environment, the node name cannot be resolved by DNS, so I specify --bypass-dns-resolution.

I checked the source, and the IP addresses of the SAN are checked against resolvedIPSet here, however
resolvedIPSet contains only the IP addresses resolved here by DNS.

So, I think the check will always fail if --bypass-dns-resolution is specified.
@sherif-fanous
Copy link

Ran into the same issue now

@alan113696
Copy link

Same

@onedr0p onedr0p mentioned this issue May 17, 2024
Merged
@ishioni ishioni mentioned this issue May 19, 2024
Closed
1 task
@doonga doonga mentioned this issue May 20, 2024
Closed
1 task
@clementnuss clementnuss self-assigned this May 21, 2024
jfroy added a commit to jfroy/flatops that referenced this issue May 21, 2024
@jfroy
fix(kubelet-csr-approver): Revert to 1.1.0
53082af 
postfinance/kubelet-csr-approver#253
clementnuss added a commit that referenced this issue May 21, 2024
@clementnuss
test: add testcase covering issue #253
eb75bdf 
#253
Signed-off-by: Clément Nussbaumer <clement.nussbaumer@postfinance.ch>
clementnuss added a commit that referenced this issue May 21, 2024
@clementnuss
test: add testcase covering issue #253
4118bc0 
#253
Signed-off-by: Clément Nussbaumer <clement.nussbaumer@postfinance.ch>
clementnuss added a commit that referenced this issue May 21, 2024
@clementnuss
fix: X509 CR SAN IPs properly ignored when bypassing DNS Resolution
4a53481 
issue #253

Signed-off-by: Clément Nussbaumer <clement.nussbaumer@postfinance.ch>
@clementnuss
Copy link
Contributor

hi!

really sorry for the bug introduced while resolving #250 🤦🏼

I've now made the code simpler, with a proper early exit when bypassDNSResolution is true.

I've also added a testcase covering this issue.

can someone try the following image and report on whether the fix works on their side ?

docker.io/postfinance/kubelet-csr-approver:dns-check-fix
ghcr.io/postfinance/kubelet-csr-approver:dns-check-fix

@kariya-mitsuru
Copy link
Author

Thanks for the quick fix!

I checked it with helm chart 1.2.0 by setting image.tag to dns-check-fix, and it is approved without any problem!

@clementnuss
Copy link
Contributor

release v1.2.1 with the fix is out.

sorry for the inconvenience, and hoping everything settles down 🙃

jfroy added a commit to jfroy/flatops that referenced this issue May 22, 2024
@jfroy
fix(kubelet-csr-approver): Revert to 1.1.0
e17f2d7 
postfinance/kubelet-csr-approver#253
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clementnuss clementnuss

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@clementnuss @kariya-mitsuru @alan113696 @sherif-fanous