Verify requests by IP address

[stephan2012]

kubeadm registers Kubernetes nodes by their canonical hostname instead of the FQDN, making it hard to find a regex that universally matches and provides more security than .*. Would it be an option to verify legitimate certificate requests against a list of allowed IP subnets?

The CSR contains the node IP address:

$ kubectl get csr csr-5pq5z -o jsonpath='{.spec.request}' |base64 -d |openssl req -noout -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:n0218
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:5e:a7:2e:34:53:bf:88:71:f7:e5:f1:26:63:57:
                    be:0b:db:d1:68:87:ae:17:a5:e7:5d:45:16:e6:f7:
                    df:7f:64:d6:bc:b1:e9:c7:a5:4c:5b:c9:91:31:89:
                    26:82:8c:cc:70:f2:1c:ec:45:8f:e6:a2:81:b8:f2:
                    80:ec:09:1e:8b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:n0218, IP Address:192.168.8.58
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:d5:17:3e:d4:56:04:c4:4c:b5:ff:47:3c:1e:
         98:92:d1:20:e3:52:39:28:34:2a:eb:c3:53:93:b6:34:0d:93:
         4b:02:20:0c:d4:a2:68:f0:6e:22:e8:ca:f6:c9:27:78:55:bb:
         7c:5a:4c:01:af:78:42:1f:2e:b7:5a:39:a9:b5:36:93:85

[clementnuss]

hi @stephan2012,

this sounds like a valid use case, I will implement this in the coming days, and then ask for your help to validate it !

[clementnuss]

hi @stephan2012

sorry for the time it took to implement that! you can try the following docker image which embeds this new feature: docker.io/postfinance/kubelet-csr-approver:feat

for instructions on how to use that feature, I've updated the readme: https://github.com/postfinance/kubelet-csr-approver/tree/feat/provider-ipset#parameters

please tell me if it works as expected, and tell me if the naming or documentation is unclear, I'll be happy to improve that :)

[stephan2012]

Thank you so much, @clementnuss! I appreciate your effort and like the extension that you have added.

I did some tests. Denied approvals for not whitelisted subnets work and approving valid CSR requests works, too.

[clementnuss]

hi @stephan2012
thanks for your feedback! really appreciate :)

the image name has changed: docker.io/postfinance/kubelet-csr-approver:provider-ipset
do you mind testing it again? this time I've added an additional check: the IP addresses resolved from the request DNS name must also fall into the set of whitelisted IP addresses.
this will probably not impact you, as I've understood that DNS resolution isn't active in your environment, but as the image name changed I wanted to let you know.

I'll release a new version of the csr approver next week btw

[stephan2012]

Hi @clementnuss,
sure, I can re-test. Please allow for two or three days …

[clementnuss]

Hi @stephan2012,

have you had time to test the new image?

[stephan2012]

Hi @clementnuss,

yes, I have finally completed my tests without any issues. Works as expected. 😀

One thing that I have just noticed is that the Helm Chart neither provides a config option nor a way to pass generic environment variables. Let me know if you’d like to see a PR for it.

[clementnuss]

if you have time to do that that would be great 👍🏻

it is also missing in the Kubernetes manifests here: https://github.com/postfinance/kubelet-csr-approver/blob/feat/provider-ipset/deploy/k8s/deployment.yaml if you also want to change that :)

[stephan2012]

Yes, I will take care of the Helm chart and the manifest.

[clementnuss]

thanks for your help Stephan!
https://github.com/postfinance/kubelet-csr-approver/releases/tag/v0.2.0

I just published release v0.2.0, and the helm chart was updated accordingly as well