Merge pull request #119790 from seantywork/added-comment

added comment for clarifying steps related to kubernetes mutual (2-wa… Kubernetes-commit: 55c86d6ad930d437931079318d740bdf8dac34f0
2025-06-24 14:12:18 +00:00 · 2023-08-21 11:09:34 -07:00 · 2023-08-21 11:09:34 -07:00 · 3fe9aa4466
commit 3fe9aa4466
parent c1466acf62 ff3618ffb3
3 changed files with 59 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@ -23,7 +23,7 @@ require (
 	golang.org/x/term v0.10.0
 	golang.org/x/time v0.3.0
 	google.golang.org/protobuf v1.30.0
-	k8s.io/api v0.0.0-20230817235229-faa8535f5abf
+	k8s.io/api v0.0.0-20230819043120-3dcdf4ede337
 	k8s.io/apimachinery v0.0.0-20230816163301-3e2600dc79fe
 	k8s.io/klog/v2 v2.100.1
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
@ -60,6 +60,6 @@ require (
 )

 replace (
-	k8s.io/api => k8s.io/api v0.0.0-20230817235229-faa8535f5abf
+	k8s.io/api => k8s.io/api v0.0.0-20230819043120-3dcdf4ede337
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230816163301-3e2600dc79fe
 )
--- a/go.sum
+++ b/go.sum
@ -146,8 +146,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.0.0-20230817235229-faa8535f5abf h1:hwokl+hRy/h2wCOeO0W4teqklM+RInZhE6fC3cfL8sQ=
-k8s.io/api v0.0.0-20230817235229-faa8535f5abf/go.mod h1:GT9MF3sI/KGC+k3nmiQ+++vvUhyZtGX3GHeDSaF2kT0=
+k8s.io/api v0.0.0-20230819043120-3dcdf4ede337 h1:qcLQ7TKrB/qI/is+41gn8RLB1JchX77IJxoU9ayd00E=
+k8s.io/api v0.0.0-20230819043120-3dcdf4ede337/go.mod h1:GT9MF3sI/KGC+k3nmiQ+++vvUhyZtGX3GHeDSaF2kT0=
 k8s.io/apimachinery v0.0.0-20230816163301-3e2600dc79fe h1:UjWeb1lUhxUf0Ryph1r1hz+pENt060neKZ+P3gKWrDc=
 k8s.io/apimachinery v0.0.0-20230816163301-3e2600dc79fe/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
--- a/transport/transport.go
+++ b/transport/transport.go
@ -96,6 +96,32 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
 	}

 	if c.HasCA() {
+		/*
+			kubernetes mutual (2-way) x509 between client and apiserver:
+
+				1. apiserver sending its apiserver certificate along with its publickey to client
+				>2. client verifies the apiserver certificate sent against its cluster certificate authority data
+				3. client sending its client certificate along with its public key to the apiserver
+				4. apiserver verifies the client certificate sent against its cluster certificate authority data
+
+				description:
+					here, with this block,
+					cluster certificate authority data gets loaded into TLS before the handshake process
+					for client to later during the handshake verify the apiserver certificate
+
+				normal args related to this stage:
+					--certificate-authority='':
+						Path to a cert file for the certificate authority
+
+					(retrievable from "kubectl options" command)
+					(suggested by @deads2k)
+
+				see also:
+					- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+					- for the step 3, see: a few lines below in this file
+					- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
+		*/
+
 		rootCAs, err := rootCertPool(c.TLS.CAData)
 		if err != nil {
 			return nil, fmt.Errorf("unable to load root certificates: %w", err)
@ -121,6 +147,35 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
 	}

 	if c.HasCertAuth() || c.HasCertCallback() {
+
+		/*
+			    kubernetes mutual (2-way) x509 between client and apiserver:
+
+					1. apiserver sending its apiserver certificate along with its publickey to client
+					2. client verifies the apiserver certificate sent against its cluster certificate authority data
+					>3. client sending its client certificate along with its public key to the apiserver
+					4. apiserver verifies the client certificate sent against its cluster certificate authority data
+
+					description:
+						here, with this callback function,
+						client certificate and pub key get loaded into TLS during the handshake process
+						for apiserver to later in the step 4 verify the client certificate
+
+					normal args related to this stage:
+						--client-certificate='':
+							Path to a client certificate file for TLS
+						--client-key='':
+							Path to a client key file for TLS
+
+						(retrievable from "kubectl options" command)
+						(suggested by @deads2k)
+
+					see also:
+						- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+						- for the step 2, see: a few lines above in this file
+						- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
+		*/
+
 		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
 			// Note: static key/cert data always take precedence over cert
 			// callback.