A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.
For details, see
- https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates and
- https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs.
All this controller does is check some fields in the CSR to be plausible and to interfere as little with regular CSRs as possible, only reconciles CSRs from "system:node:NODE_NAME".
For a controller that does more checks and in general is more secure, see https://github.com/postfinance/kubelet-csr-approver. The repository also includes a threat model for security considerations, something this project neglects for reasons of simplicity.
If security is a major concern of yours, DO NOT USE this controller, as it can be leveraged to sign spoofed CSRs quite easily.
Deploy the controller to a cluster with Helm by running
# Add the repo to your local helm repositories
$ helm repo add tbctrl https://zoomoid.github.io/tbctrl
# Install the controller into the cluster
$ helm install tls-bootstrapping-controller tbctrl/tbctrl -n kube-systemYou can also use static manifests, but be aware of the configuration: by default metrics are enabled, and the version is "latest".
# Deploy controller to kube-system namespace
$ kubectl apply -n kube-system -f https://raw.githubusercontent.com/zoomoid/tbctrl/main/manifests/tbctrl.yamlYou can also use the kustomization available in ./manifests/kustomization as a base to customize the deployment without having to dig too deep into the YAML files.