feat(installer): limit the permissions of the certificates in webhook (…

…#829)
tkestack · Oct 20, 2020 · ab74cf9 · ab74cf9
1 parent 7881ef2
commit ab74cf9
Show file tree

Hide file tree

Showing 8 changed files with 72 additions and 18 deletions.
diff --git a/cmd/tke-installer/app/installer/certs/certs.go b/cmd/tke-installer/app/installer/certs/certs.go
@@ -86,6 +86,19 @@ func Generate(dnsNames []string, ips []net.IP, dir string) error {
 		return err
 	}
 
+	webhookCert, webhookKey, err := generateWebhookCertKey(caCert, caKey)
+	if err != nil {
+		return err
+	}
+	err = files.WriteFileWithDir(dir, constants.WebhookCrtFileBaseName, pkiutil.EncodeCertPEM(webhookCert), 0644)
+	if err != nil {
+		return err
+	}
+	err = files.WriteFileWithDir(dir, constants.WebhookKeyFileBaseName, pkiutil.EncodePrivateKeyPEM(webhookKey), 0644)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -135,6 +148,21 @@ func generateAdminCertKey(caCert *x509.Certificate, caKey crypto.Signer) (*x509.
 	return cert, key, nil
 }
 
+func generateWebhookCertKey(caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, *rsa.PrivateKey, error) {
+	config := &certutil.Config{
+		CommonName:   "webhook",
+		Organization: []string{"Tencent"},
+		AltNames:     certutil.AltNames{},
+		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+	}
+	cert, key, err := pkiutil.NewCertAndKey(caCert, caKey, config)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "unable to sign certificate")
+	}
+
+	return cert, key, nil
+}
+
 // AlternateDNS return TKE alternateDNS
 func AlternateDNS() []string {
 	result := []string{

diff --git a/cmd/tke-installer/app/installer/constants/constants.go b/cmd/tke-installer/app/installer/constants/constants.go
@@ -47,6 +47,8 @@ const (
 	ServerKeyFile        = DataDir + "server.key"
 	AdminCrtFile         = DataDir + "admin.crt"
 	AdminKeyFile         = DataDir + "admin.key"
+	WebhookCrtFile       = DataDir + "webhook.crt"
+	WebhookKeyFile       = DataDir + "webhook.key"
 	KubeconfigFile       = DataDir + "admin.kubeconfig"
 
 	CACrtFileBaseName      = "ca.crt"
@@ -55,6 +57,8 @@ const (
 	ServerKeyFileBaseName  = "server.key"
 	AdminCrtFileBaseName   = "admin.crt"
 	AdminKeyFileBaseName   = "admin.key"
+	WebhookCrtFileBaseName = "webhook.crt"
+	WebhookKeyFileBaseName = "webhook.key"
 	KubeconfigFileBaseName = "admin.kubeconfig"
 
 	AuthzWebhookNodePort = 31138

diff --git a/cmd/tke-installer/app/installer/installer.go b/cmd/tke-installer/app/installer/installer.go
@@ -1280,6 +1280,14 @@ func (t *TKE) prepareCertificates(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+	webhookCrt, err := ioutil.ReadFile(constants.WebhookCrtFile)
+	if err != nil {
+		return err
+	}
+	webhookKey, err := ioutil.ReadFile(constants.WebhookKeyFile)
+	if err != nil {
+		return err
+	}
 
 	if t.Cluster.Spec.Etcd.External != nil {
 		return fmt.Errorf("external etcd specified, but ca key is not provided yet")
@@ -1307,6 +1315,8 @@ func (t *TKE) prepareCertificates(ctx context.Context) error {
 			"server.key":         string(serverKey),
 			"admin.crt":          string(adminCrt),
 			"admin.key":          string(adminKey),
+			"webhook.crt":        string(webhookCrt),
+			"webhook.key":        string(webhookKey),
 		},
 	}
 

diff --git a/pkg/platform/provider/baremetal/cluster/create.go b/pkg/platform/provider/baremetal/cluster/create.go
@@ -694,7 +694,7 @@ func (p *Provider) EnsurePrepareForControlplane(ctx context.Context, c *v1.Clust
 			return errors.Wrap(err, machine.IP)
 		}
 
-		err = machineSSH.WriteFile(bytes.NewReader(schedulerPolicyConfig), constants.KuberentesSchedulerPolicyConfigFile)
+		err = machineSSH.WriteFile(bytes.NewReader(schedulerPolicyConfig), constants.KubernetesSchedulerPolicyConfigFile)
 		if err != nil {
 			return errors.Wrap(err, machine.IP)
 		}
@@ -712,7 +712,7 @@ func (p *Provider) EnsurePrepareForControlplane(ctx context.Context, c *v1.Clust
 				if err != nil {
 					return errors.Wrap(err, machine.IP)
 				}
-				err = machineSSH.WriteFile(bytes.NewReader(auditWebhookConfig), constants.KuberentesAuditWebhookConfigFile)
+				err = machineSSH.WriteFile(bytes.NewReader(auditWebhookConfig), constants.KubernetesAuditWebhookConfigFile)
 				if err != nil {
 					return errors.Wrap(err, machine.IP)
 				}

diff --git a/pkg/platform/provider/baremetal/cluster/kubeadm.go b/pkg/platform/provider/baremetal/cluster/kubeadm.go
@@ -210,7 +210,7 @@ func (p *Provider) getAPIServerExtraArgs(c *v1.Cluster) map[string]string {
 	}
 	if p.config.AuditEnabled() {
 		args["audit-policy-file"] = constants.KubernetesAuditPolicyConfigFile
-		args["audit-webhook-config-file"] = constants.KuberentesAuditWebhookConfigFile
+		args["audit-webhook-config-file"] = constants.KubernetesAuditWebhookConfigFile
 	}
 	if c.AuthzWebhookEnabled() {
 		args["authorization-webhook-config-file"] = constants.KubernetesAuthzWebhookConfigFile
@@ -252,7 +252,7 @@ func (p *Provider) getControllerManagerExtraArgs(c *v1.Cluster) map[string]strin
 func (p *Provider) getSchedulerExtraArgs(c *v1.Cluster) map[string]string {
 	args := map[string]string{
 		"use-legacy-policy-config": "true",
-		"policy-config-file":       constants.KuberentesSchedulerPolicyConfigFile,
+		"policy-config-file":       constants.KubernetesSchedulerPolicyConfigFile,
 	}
 	for k, v := range c.Spec.SchedulerExtraArgs {
 		args[k] = v

diff --git a/pkg/platform/provider/baremetal/constants/constants.go b/pkg/platform/provider/baremetal/constants/constants.go
@@ -29,11 +29,13 @@ const (
 	AuthzWebhookConfigName = "tke-authz-webhook.yaml"
 	OIDCCACertName         = "oidc-ca.crt"
 	AdminCertName          = "admin.crt"
-	AdminkeyName           = "admin.key"
+	AdminKeyName           = "admin.key"
+	WebhookCertName        = "webhook.crt"
+	WebhookKeyName         = "webhook.key"
 	// Kubernetes Config
 	KubernetesDir                       = "/etc/kubernetes/"
-	KuberentesSchedulerPolicyConfigFile = KubernetesDir + "scheduler-policy-config.json"
-	KuberentesAuditWebhookConfigFile    = KubernetesDir + "audit-api-client-config.yaml"
+	KubernetesSchedulerPolicyConfigFile = KubernetesDir + "scheduler-policy-config.json"
+	KubernetesAuditWebhookConfigFile    = KubernetesDir + "audit-api-client-config.yaml"
 	TokenFile                           = KubernetesDir + "known_tokens.csv"
 	KubernetesAuditPolicyConfigFile     = KubernetesDir + AuditPolicyConfigName
 	KubernetesAuthzWebhookConfigFile    = KubernetesDir + AuthzWebhookConfigName
@@ -56,7 +58,7 @@ const (
 
 	// AppCert
 	AppAdminCertFile = AppCertDir + AdminCertName
-	AppAdminKeyFile  = AppCertDir + AdminkeyName
+	AppAdminKeyFile  = AppCertDir + AdminKeyName
 
 	// ETC
 	EtcdDataDir          = "/var/lib/etcd"
@@ -66,8 +68,8 @@ const (
 	// PKI
 	CertificatesDir = KubernetesDir + "pki/"
 	OIDCCACertFile  = CertificatesDir + OIDCCACertName
-	AdminCertFile   = CertificatesDir + AdminCertName
-	AdminKeyFile    = CertificatesDir + AdminkeyName
+	WebhookCertFile = CertificatesDir + WebhookCertName
+	WebhookKeyFile  = CertificatesDir + WebhookKeyName
 
 	// CACertName defines certificate name
 	CACertName = CertificatesDir + "ca.crt"

diff --git a/pkg/platform/provider/baremetal/phases/authzwebhook/authzwebhook.go b/pkg/platform/provider/baremetal/phases/authzwebhook/authzwebhook.go
@@ -42,8 +42,8 @@ clusters:
 users:
   - name: admin-cert
     user:
-      client-certificate: {{.AdminCertFile}}
-      client-key: {{.AdminKeyFile}}
+      client-certificate: {{.WebhookCertFile}}
+      client-key: {{.WebhookKeyFile}}
 current-context: tke
 contexts:
 - context:
@@ -61,8 +61,8 @@ type Option struct {
 func Install(s ssh.Interface, option *Option) error {
 	authzWebhookConfig, err := template.ParseString(authzWebhookConfig, map[string]interface{}{
 		"AuthzEndpoint": option.AuthzWebhookEndpoint,
-		"AdminCertFile": constants.AdminCertFile,
-		"AdminKeyFile":  constants.AdminKeyFile,
+		"WebhookCertFile": constants.WebhookCertFile,
+		"WebhookKeyFile":  constants.WebhookKeyFile,
 	})
 	if err != nil {
 		return errors.Wrap(err, "parse authzWebhookConfig error")
@@ -76,19 +76,19 @@ func Install(s ssh.Interface, option *Option) error {
 	if option.IsGlobalCluster {
 		basePath = installerconstants.DataDir
 	}
-	adminCertData, err := ioutil.ReadFile(basePath + constants.AdminCertName)
+	webhookCertData, err := ioutil.ReadFile(basePath + constants.WebhookCertName)
 	if err != nil {
 		return err
 	}
-	err = s.WriteFile(bytes.NewReader(adminCertData), constants.AdminCertFile)
+	err = s.WriteFile(bytes.NewReader(webhookCertData), constants.WebhookCertFile)
 	if err != nil {
 		return err
 	}
-	adminKeyData, err := ioutil.ReadFile(basePath + constants.AdminkeyName)
+	webhookKeyData, err := ioutil.ReadFile(basePath + constants.WebhookKeyName)
 	if err != nil {
 		return err
 	}
-	err = s.WriteFile(bytes.NewReader(adminKeyData), constants.AdminKeyFile)
+	err = s.WriteFile(bytes.NewReader(webhookKeyData), constants.WebhookKeyFile)
 	if err != nil {
 		return err
 	}

diff --git a/test/e2e/certs/certs.go b/test/e2e/certs/certs.go
@@ -90,6 +90,14 @@ func (c *TkeCert) CreateCertMap(ctx context.Context, client kubernetes.Interface
 	if err != nil {
 		return err
 	}
+	webhookCert, err := files.ReadFileWithDir(c.tmpDir, constants.WebhookCrtFileBaseName)
+	if err != nil {
+		return err
+	}
+	webhookKey, err := files.ReadFileWithDir(c.tmpDir, constants.WebhookKeyFileBaseName)
+	if err != nil {
+		return err
+	}
 
 	cm := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
@@ -106,6 +114,8 @@ func (c *TkeCert) CreateCertMap(ctx context.Context, client kubernetes.Interface
 			"server.key":  string(serverKey),
 			"admin.crt":   string(adminCert),
 			"admin.key":   string(adminKey),
+			"webhook.crt": string(webhookCert),
+			"webhook.key": string(webhookKey),
 		},
 	}