kubernetes mutual (2-way) x509 comment

Kubernetes-commit: 48260b4a77b423b178ec5e262ac67be52d49f455
This commit is contained in:
seantywork 2023-08-18 01:31:22 +00:00 committed by Kubernetes Publisher
parent c1466acf62
commit ff3618ffb3

View File

@ -96,6 +96,32 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
}
if c.HasCA() {
/*
kubernetes mutual (2-way) x509 between client and apiserver:
1. apiserver sending its apiserver certificate along with its publickey to client
>2. client verifies the apiserver certificate sent against its cluster certificate authority data
3. client sending its client certificate along with its public key to the apiserver
4. apiserver verifies the client certificate sent against its cluster certificate authority data
description:
here, with this block,
cluster certificate authority data gets loaded into TLS before the handshake process
for client to later during the handshake verify the apiserver certificate
normal args related to this stage:
--certificate-authority='':
Path to a cert file for the certificate authority
(retrievable from "kubectl options" command)
(suggested by @deads2k)
see also:
- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
- for the step 3, see: a few lines below in this file
- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
*/
rootCAs, err := rootCertPool(c.TLS.CAData)
if err != nil {
return nil, fmt.Errorf("unable to load root certificates: %w", err)
@ -121,6 +147,35 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
}
if c.HasCertAuth() || c.HasCertCallback() {
/*
kubernetes mutual (2-way) x509 between client and apiserver:
1. apiserver sending its apiserver certificate along with its publickey to client
2. client verifies the apiserver certificate sent against its cluster certificate authority data
>3. client sending its client certificate along with its public key to the apiserver
4. apiserver verifies the client certificate sent against its cluster certificate authority data
description:
here, with this callback function,
client certificate and pub key get loaded into TLS during the handshake process
for apiserver to later in the step 4 verify the client certificate
normal args related to this stage:
--client-certificate='':
Path to a client certificate file for TLS
--client-key='':
Path to a client key file for TLS
(retrievable from "kubectl options" command)
(suggested by @deads2k)
see also:
- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
- for the step 2, see: a few lines above in this file
- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
*/
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
// Note: static key/cert data always take precedence over cert
// callback.