github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #101977 from SataQiu/fix-kubeadm-allow-20210513

Browse Source 
kubeadm: fix the bug that kubeadm only uses the first hash in caCertHashes to verify the root CA
This commit is contained in:
Kubernetes Prow Robot 2021-05-13 13:35:17 -07:00 committed by GitHub
commit 2a106464d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
View File

@ -59,7 +59,9 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
switch strings.ToLower(format) { switch strings.ToLower(format) {
case "sha256": case "sha256":
return s.allowSHA256(value) if err := s.allowSHA256(value); err != nil {
return errors.Errorf("invalid hash %q, %v", pubKeyHash, err)
}
default: default:
return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats) return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats)
} }

11
cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go
View File

@ -143,6 +143,17 @@ func TestSet(t *testing.T) {
t.Error("expected the second test cert to be disallowed") t.Error("expected the second test cert to be disallowed")
return return
} }
s = NewSet() // keep set empty
hashes := []string{
`sha256:0000000000000000000000000000000000000000000000000000000000000000`,
`sha256:0000000000000000000000000000000000000000000000000000000000000001`,
}
err = s.Allow(hashes...)
if err != nil || len(s.sha256Hashes) != 2 {
t.Error("expected allowing multiple hashes to succeed")
return
}
} }
func TestHash(t *testing.T) { func TestHash(t *testing.T) {