-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify requests by IP address #28
Comments
hi @stephan2012, this sounds like a valid use case, I will implement this in the coming days, and then ask for your help to validate it ! |
hi @stephan2012 sorry for the time it took to implement that! you can try the following docker image which embeds this new feature: for instructions on how to use that feature, I've updated the readme: https://github.com/postfinance/kubelet-csr-approver/tree/feat/provider-ipset#parameters please tell me if it works as expected, and tell me if the naming or documentation is unclear, I'll be happy to improve that :) |
Thank you so much, @clementnuss! I appreciate your effort and like the extension that you have added. I did some tests. Denied approvals for not whitelisted subnets work and approving valid CSR requests works, too. |
hi @stephan2012 the image name has changed: I'll release a new version of the csr approver next week btw |
Hi @clementnuss, |
Hi @stephan2012, have you had time to test the new image? |
Hi @clementnuss, yes, I have finally completed my tests without any issues. Works as expected. 😀 One thing that I have just noticed is that the Helm Chart neither provides a config option nor a way to pass generic environment variables. Let me know if you’d like to see a PR for it. |
if you have time to do that that would be great 👍🏻 it is also missing in the Kubernetes manifests here: https://github.com/postfinance/kubelet-csr-approver/blob/feat/provider-ipset/deploy/k8s/deployment.yaml if you also want to change that :) |
Yes, I will take care of the Helm chart and the manifest. |
thanks for your help Stephan! I just published release v0.2.0, and the helm chart was updated accordingly as well |
kubeadm
registers Kubernetes nodes by their canonical hostname instead of the FQDN, making it hard to find a regex that universally matches and provides more security than.*
. Would it be an option to verify legitimate certificate requests against a list of allowed IP subnets?The CSR contains the node IP address:
The text was updated successfully, but these errors were encountered: