diff --git a/cmd/kube-controller-manager/app/certificates.go b/cmd/kube-controller-manager/app/certificates.go index af669e04dd5..ed9b38ad39e 100644 --- a/cmd/kube-controller-manager/app/certificates.go +++ b/cmd/kube-controller-manager/app/certificates.go @@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) { ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(), ctx.Options.ClusterSigningCertFile, ctx.Options.ClusterSigningKeyFile, + ctx.Options.ClusterSigningDuration.Duration, ) if err != nil { glog.Errorf("Failed to start certificate controller: %v", err) diff --git a/cmd/kube-controller-manager/app/options/BUILD b/cmd/kube-controller-manager/app/options/BUILD index 24e610b7b7c..95a03df4fe9 100644 --- a/cmd/kube-controller-manager/app/options/BUILD +++ b/cmd/kube-controller-manager/app/options/BUILD @@ -17,6 +17,7 @@ go_library( "//pkg/controller/garbagecollector:go_default_library", "//pkg/features:go_default_library", "//pkg/master/ports:go_default_library", + "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index 20b94065d01..6d374330725 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -35,6 +35,7 @@ import ( // add the kubernetes feature gates _ "k8s.io/kubernetes/pkg/features" + "github.com/cloudflare/cfssl/helpers" "github.com/spf13/pflag" ) @@ -112,6 +113,7 @@ func NewCMServer() *CMServer { GCIgnoredResources: gcIgnoredResources, ClusterSigningCertFile: "/etc/kubernetes/ca/ca.pem", ClusterSigningKeyFile: "/etc/kubernetes/ca/ca.key", + ClusterSigningDuration: metav1.Duration{Duration: helpers.OneYear}, ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second}, EnableTaintManager: true, HorizontalPodAutoscalerUseRESTClients: false, @@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.") fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates") fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates") + fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.") fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.") fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/") fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled") diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index cf0b1e31268..86093e51ac8 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -242,6 +242,7 @@ experimental-allowed-unsafe-sysctls experimental-bootstrap-kubeconfig experimental-bootstrap-token-auth experimental-check-node-capabilities-before-mount +experimental-cluster-signing-duration experimental-cri experimental-dockershim experimental-dockershim-root-directory diff --git a/pkg/apis/componentconfig/types.go b/pkg/apis/componentconfig/types.go index 90efddee13d..5d1de1a0ced 100644 --- a/pkg/apis/componentconfig/types.go +++ b/pkg/apis/componentconfig/types.go @@ -836,6 +836,9 @@ type KubeControllerManagerConfiguration struct { // clusterSigningCertFile is the filename containing a PEM-encoded // RSA or ECDSA private key used to issue cluster-scoped certificates ClusterSigningKeyFile string + // clusterSigningDuration is the length of duration signed certificates + // will be given. + ClusterSigningDuration metav1.Duration // approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating // from the kubelet bootstrapping group automatically. // WARNING: this grants all users with access to the certificates API group diff --git a/pkg/controller/certificates/signer/cfssl_signer.go b/pkg/controller/certificates/signer/cfssl_signer.go index fc1ad233922..e8309e59f3c 100644 --- a/pkg/controller/certificates/signer/cfssl_signer.go +++ b/pkg/controller/certificates/signer/cfssl_signer.go @@ -23,6 +23,7 @@ import ( "fmt" "io/ioutil" "os" + "time" capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1" "k8s.io/kubernetes/pkg/client/clientset_generated/clientset" @@ -35,20 +36,13 @@ import ( "github.com/cloudflare/cfssl/signer/local" ) -var onlySigningPolicy = &config.Signing{ - Default: &config.SigningProfile{ - Usage: []string{"signing"}, - Expiry: helpers.OneYear, - ExpiryString: "8760h", - }, -} - func NewCSRSigningController( client clientset.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer, caFile, caKeyFile string, + certificateDuration time.Duration, ) (*certificates.CertificateController, error) { - signer, err := newCFSSLSigner(caFile, caKeyFile, client) + signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration) if err != nil { return nil, err } @@ -60,13 +54,14 @@ func NewCSRSigningController( } type cfsslSigner struct { - ca *x509.Certificate - priv crypto.Signer - sigAlgo x509.SignatureAlgorithm - client clientset.Interface + ca *x509.Certificate + priv crypto.Signer + sigAlgo x509.SignatureAlgorithm + client clientset.Interface + certificateDuration time.Duration } -func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfsslSigner, error) { +func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) { ca, err := ioutil.ReadFile(caFile) if err != nil { return nil, err @@ -92,10 +87,11 @@ func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfss return nil, fmt.Errorf("Malformed private key %v", err) } return &cfsslSigner{ - priv: priv, - ca: parsedCa, - sigAlgo: signer.DefaultSigAlgo(priv), - client: client, + priv: priv, + ca: parsedCa, + sigAlgo: signer.DefaultSigAlgo(priv), + client: client, + certificateDuration: certificateDuration, }, nil } @@ -122,8 +118,8 @@ func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.Certifica policy := &config.Signing{ Default: &config.SigningProfile{ Usage: usages, - Expiry: helpers.OneYear, - ExpiryString: "8760h", + Expiry: s.certificateDuration, + ExpiryString: s.certificateDuration.String(), }, } cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy) diff --git a/pkg/controller/certificates/signer/cfssl_signer_test.go b/pkg/controller/certificates/signer/cfssl_signer_test.go index 6d6c2f23748..8ba6c95da42 100644 --- a/pkg/controller/certificates/signer/cfssl_signer_test.go +++ b/pkg/controller/certificates/signer/cfssl_signer_test.go @@ -21,13 +21,14 @@ import ( "io/ioutil" "reflect" "testing" + "time" "k8s.io/client-go/util/cert" capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1" ) func TestSigner(t *testing.T) { - s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil) + s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour) if err != nil { t.Fatalf("failed to create signer: %v", err) }