csr: add expirationSeconds field to control cert lifetime

This change updates the CSR API to add a new, optional field called
expirationSeconds.  This field is a request to the signer for the
maximum duration the client wishes the cert to have.  The signer is
free to ignore this request based on its own internal policy.  The
signers built-in to KCM will honor this field if it is not set to a
value greater than --cluster-signing-duration.  The minimum allowed
value for this field is 600 seconds (ten minutes).

This change will help enforce safer durations for certificates in
the Kube ecosystem and will help related projects such as
cert-manager with their migration to the Kube CSR API.

Future enhancements may update the Kubelet to take advantage of this
field when it is configured in a way that can tolerate shorter
certificate lifespans with regular rotation.

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-06-25 22:08:10 -04:00
parent 0dad7d1c47
commit cd91e59f7c
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
24 changed files with 1413 additions and 71 deletions

View File

@ -45,8 +45,8 @@ func (o *CSRSigningControllerOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.KeyFile, "cluster-signing-kube-apiserver-client-key-file", o.KubeAPIServerClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set.")
fs.StringVar(&o.LegacyUnknownSignerConfiguration.CertFile, "cluster-signing-legacy-unknown-cert-file", o.LegacyUnknownSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.")
fs.StringVar(&o.LegacyUnknownSignerConfiguration.KeyFile, "cluster-signing-legacy-unknown-key-file", o.LegacyUnknownSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", o.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The max length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", o.ClusterSigningDuration.Duration, "The max length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.")
fs.MarkDeprecated("experimental-cluster-signing-duration", "use --cluster-signing-duration")
}

View File

@ -17,9 +17,12 @@ limitations under the License.
package fuzzer
import (
"time"
fuzz "github.com/google/gofuzz"
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/pkg/apis/certificates"
api "k8s.io/kubernetes/pkg/apis/core"
)
@ -31,6 +34,7 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.FuzzNoCustom(obj) // fuzz self without calling this function again
obj.Usages = []certificates.KeyUsage{certificates.UsageKeyEncipherment}
obj.SignerName = "example.com/custom-sample-signer"
obj.ExpirationSeconds = csr.DurationToExpirationSeconds(time.Hour + time.Minute + time.Second)
},
func(obj *certificates.CertificateSigningRequestCondition, c fuzz.Continue) {
c.FuzzNoCustom(obj) // fuzz self without calling this function again

View File

@ -68,6 +68,30 @@ type CertificateSigningRequestSpec struct {
// 6. Whether or not requests for CA certificates are allowed.
SignerName string
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
ExpirationSeconds *int32
// usages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

View File

@ -205,6 +205,9 @@ func validateCertificateSigningRequest(csr *certificates.CertificateSigningReque
} else {
allErrs = append(allErrs, ValidateCertificateSigningRequestSignerName(specPath.Child("signerName"), csr.Spec.SignerName)...)
}
if csr.Spec.ExpirationSeconds != nil && *csr.Spec.ExpirationSeconds < 600 {
allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), *csr.Spec.ExpirationSeconds, "may not specify a duration less than 600 seconds (10 minutes)"))
}
allErrs = append(allErrs, validateConditions(field.NewPath("status", "conditions"), csr, opts)...)
if !opts.allowArbitraryCertificate {

View File

@ -26,14 +26,17 @@ import (
"reflect"
"strings"
"testing"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/client-go/util/certificate/csr"
capi "k8s.io/kubernetes/pkg/apis/certificates"
capiv1beta1 "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
"k8s.io/kubernetes/pkg/apis/core"
"k8s.io/utils/pointer"
)
var (
@ -262,6 +265,74 @@ func TestValidateCertificateSigningRequestCreate(t *testing.T) {
},
errs: field.ErrorList{},
},
"negative duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: pointer.Int32(-1),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), int32(-1), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"zero duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: pointer.Int32(0),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), int32(0), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"one duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: pointer.Int32(1),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), int32(1), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"too short duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Minute),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), *csr.DurationToExpirationSeconds(time.Minute), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"valid duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: csr.DurationToExpirationSeconds(10 * time.Minute),
},
},
errs: field.ErrorList{},
},
"missing usages": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,

View File

@ -38,8 +38,8 @@ type CSRSigningControllerConfiguration struct {
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
LegacyUnknownSignerConfiguration CSRSigningConfiguration
// clusterSigningDuration is the length of duration signed certificates
// will be given.
// clusterSigningDuration is the max length of duration signed certificates will be given.
// Individual CSRs may request shorter certs by setting spec.expirationSeconds.
ClusterSigningDuration metav1.Duration
}

View File

@ -30,11 +30,14 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
utilfeature "k8s.io/apiserver/pkg/util/feature"
certificatesinformers "k8s.io/client-go/informers/certificates/v1"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/util/certificate/csr"
capihelper "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/controller/certificates"
"k8s.io/kubernetes/pkg/controller/certificates/authority"
"k8s.io/kubernetes/pkg/features"
)
type CSRSigningController struct {
@ -115,7 +118,7 @@ type signer struct {
caProvider *caProvider
client clientset.Interface
certTTL time.Duration
certTTL time.Duration // max TTL; individual requests may request shorter certs by setting spec.expirationSeconds
signerName string
isRequestForSignerFn isRequestForSignerFunc
@ -173,7 +176,7 @@ func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
// Ignore requests for kubernetes.io signerNames we don't recognize
return nil
}
cert, err := s.sign(x509cr, csr.Spec.Usages, nil)
cert, err := s.sign(x509cr, csr.Spec.Usages, csr.Spec.ExpirationSeconds, nil)
if err != nil {
return fmt.Errorf("error auto signing csr: %v", err)
}
@ -185,15 +188,15 @@ func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
return nil
}
func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, now func() time.Time) ([]byte, error) {
func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, expirationSeconds *int32, now func() time.Time) ([]byte, error) {
currCA, err := s.caProvider.currentCA()
if err != nil {
return nil, err
}
der, err := currCA.Sign(x509cr.Raw, authority.PermissiveSigningPolicy{
TTL: s.certTTL,
TTL: s.duration(expirationSeconds),
Usages: usages,
Backdate: 5 * time.Minute, // this must always be less than the minimum TTL requested by a user
Backdate: 5 * time.Minute, // this must always be less than the minimum TTL requested by a user (see sanity check requestedDuration below)
Short: 8 * time.Hour, // 5 minutes of backdating is roughly 1% of 8 hours
Now: now,
})
@ -203,6 +206,30 @@ func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, n
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), nil
}
func (s *signer) duration(expirationSeconds *int32) time.Duration {
if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
return s.certTTL
}
if expirationSeconds == nil {
return s.certTTL
}
// honor requested duration is if it is less than the default TTL
// use 10 min (2x hard coded backdate above) as a sanity check lower bound
const min = 10 * time.Minute
switch requestedDuration := csr.ExpirationSecondsToDuration(*expirationSeconds); {
case requestedDuration > s.certTTL:
return s.certTTL
case requestedDuration < min:
return min
default:
return requestedDuration
}
}
// getCSRVerificationFuncForSignerName is a function that provides reliable mapping of signer names to verification so that
// we don't have accidents with wiring at some later date.
func getCSRVerificationFuncForSignerName(signerName string) (isRequestForSignerFunc, error) {

View File

@ -32,11 +32,15 @@ import (
capi "k8s.io/api/certificates/v1"
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/apimachinery/pkg/util/diff"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/kubernetes/fake"
testclient "k8s.io/client-go/testing"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
featuregatetesting "k8s.io/component-base/featuregate/testing"
capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1"
"k8s.io/kubernetes/pkg/controller/certificates"
"k8s.io/kubernetes/pkg/features"
)
func TestSigner(t *testing.T) {
@ -61,7 +65,11 @@ func TestSigner(t *testing.T) {
capi.UsageKeyEncipherment,
capi.UsageServerAuth,
capi.UsageClientAuth,
}, fakeClock.Now)
},
// requesting a duration that is greater than TTL is ignored
csr.DurationToExpirationSeconds(3*time.Hour),
fakeClock.Now,
)
if err != nil {
t.Fatalf("failed to sign CSR: %v", err)
}
@ -344,3 +352,91 @@ func makeTestCSR(b csrBuilder) *capi.CertificateSigningRequest {
}
return csr
}
func Test_signer_duration(t *testing.T) {
t.Parallel()
tests := []struct {
name string
certTTL time.Duration
expirationSeconds *int32
wantGateEnabled time.Duration
wantGateDisabled time.Duration
}{
{
name: "can request shorter duration than TTL",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(30 * time.Minute),
wantGateEnabled: 30 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "cannot request longer duration than TTL",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(3 * time.Hour),
wantGateEnabled: time.Hour,
wantGateDisabled: time.Hour,
},
{
name: "cannot request negative duration",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(-time.Minute),
wantGateEnabled: 10 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "cannot request duration less than 10 mins",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(10*time.Minute - time.Second),
wantGateEnabled: 10 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "can request duration of exactly 10 mins",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(10 * time.Minute),
wantGateEnabled: 10 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "can request duration equal to the default",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
wantGateEnabled: time.Hour,
wantGateDisabled: time.Hour,
},
{
name: "can choose not to request a duration to get the default",
certTTL: time.Hour,
expirationSeconds: nil,
wantGateEnabled: time.Hour,
wantGateDisabled: time.Hour,
},
}
for _, tt := range tests {
tt := tt
f := func(t *testing.T, want time.Duration) {
s := &signer{
certTTL: tt.certTTL,
}
if got := s.duration(tt.expirationSeconds); got != want {
t.Errorf("duration() = %v, want %v", got, want)
}
}
// regular tests
t.Run(tt.name, func(t *testing.T) {
t.Parallel() // these are safe to run in parallel but not the feature gate disabled tests
f(t, tt.wantGateEnabled)
})
// same tests with the feature gate disabled
t.Run("feature gate disabled - "+tt.name, func(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
f(t, tt.wantGateDisabled)
})
}
}

View File

@ -740,6 +740,12 @@ const (
//
// Enables usage of the ReadWriteOncePod PersistentVolume access mode.
ReadWriteOncePod featuregate.Feature = "ReadWriteOncePod"
// owner: @enj
// beta: v1.22
//
// Allows clients to request a duration for certificates issued via the Kubernetes CSR API.
CSRDuration featuregate.Feature = "CSRDuration"
)
func init() {
@ -851,6 +857,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
SeccompDefault: {Default: false, PreRelease: featuregate.Alpha},
PodSecurity: {Default: false, PreRelease: featuregate.Alpha},
ReadWriteOncePod: {Default: false, PreRelease: featuregate.Alpha},
CSRDuration: {Default: true, PreRelease: featuregate.Beta},
// inherited features from generic apiserver, relisted here to get a conflict if it is changed
// unintentionally on either side:

View File

@ -344,7 +344,7 @@ func requestNodeCertificate(ctx context.Context, client clientset.Interface, pri
return nil, err
}
reqName, reqUID, err := csr.RequestCertificate(client, csrData, name, certificatesv1.KubeAPIServerClientKubeletSignerName, usages, privateKey)
reqName, reqUID, err := csr.RequestCertificate(client, csrData, name, certificatesv1.KubeAPIServerClientKubeletSignerName, nil, usages, privateKey)
if err != nil {
return nil, err
}

View File

@ -48,6 +48,7 @@ import (
"k8s.io/apimachinery/pkg/util/duration"
"k8s.io/apimachinery/pkg/util/sets"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/pkg/apis/admissionregistration"
"k8s.io/kubernetes/pkg/apis/apiserverinternal"
"k8s.io/kubernetes/pkg/apis/apps"
@ -413,6 +414,7 @@ func AddHandlers(h printers.PrintHandler) {
{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
{Name: "SignerName", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestSpec{}.SwaggerDoc()["signerName"]},
{Name: "Requestor", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestSpec{}.SwaggerDoc()["request"]},
{Name: "RequestedDuration", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestSpec{}.SwaggerDoc()["expirationSeconds"]},
{Name: "Condition", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestStatus{}.SwaggerDoc()["conditions"]},
}
h.TableHandler(certificateSigningRequestColumnDefinitions, printCertificateSigningRequest)
@ -1902,7 +1904,11 @@ func printCertificateSigningRequest(obj *certificates.CertificateSigningRequest,
if obj.Spec.SignerName != "" {
signerName = obj.Spec.SignerName
}
row.Cells = append(row.Cells, obj.Name, translateTimestampSince(obj.CreationTimestamp), signerName, obj.Spec.Username, status)
requestedDuration := "<none>"
if obj.Spec.ExpirationSeconds != nil {
requestedDuration = duration.HumanDuration(csr.ExpirationSecondsToDuration(*obj.Spec.ExpirationSeconds))
}
row.Cells = append(row.Cells, obj.Name, translateTimestampSince(obj.CreationTimestamp), signerName, obj.Spec.Username, requestedDuration, status)
return []metav1.TableRow{row}, nil
}

View File

@ -27,6 +27,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/pkg/apis/apiserverinternal"
"k8s.io/kubernetes/pkg/apis/apps"
"k8s.io/kubernetes/pkg/apis/autoscaling"
@ -3990,8 +3991,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
Spec: certificates.CertificateSigningRequestSpec{},
Status: certificates.CertificateSigningRequestStatus{},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr1", "0s", "<none>", "", "Pending"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr1", "0s", "<none>", "", "<none>", "Pending"}}},
},
// Basic CSR with Spec and Status=Approved.
{
@ -4011,8 +4012,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
},
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "Approved"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "<none>", "Approved"}}},
},
// Basic CSR with Spec and SignerName set
{
@ -4033,8 +4034,31 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
},
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "Approved"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "<none>", "Approved"}}},
},
// Basic CSR with Spec, SignerName and ExpirationSeconds set
{
csr: certificates.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{
Name: "csr2",
CreationTimestamp: metav1.Time{Time: time.Now().Add(1.9e9)},
},
Spec: certificates.CertificateSigningRequestSpec{
Username: "CSR Requestor",
SignerName: "example.com/test-signer",
ExpirationSeconds: csr.DurationToExpirationSeconds(7*24*time.Hour + time.Hour), // a little bit more than a week
},
Status: certificates.CertificateSigningRequestStatus{
Conditions: []certificates.CertificateSigningRequestCondition{
{
Type: certificates.CertificateApproved,
},
},
},
},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "7d1h", "Approved"}}},
},
// Basic CSR with Spec and Status=Approved; certificate issued.
{
@ -4055,8 +4079,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
Certificate: []byte("cert data"),
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "Approved,Issued"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "<none>", "Approved,Issued"}}},
},
// Basic CSR with Spec and Status=Denied.
{
@ -4076,8 +4100,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
},
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr3", "0s", "<none>", "CSR Requestor", "Denied"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr3", "0s", "<none>", "CSR Requestor", "<none>", "Denied"}}},
},
}

View File

@ -0,0 +1,169 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package storage
import (
"context"
"fmt"
"strings"
"sync"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/apiserver/pkg/util/dryrun"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/component-base/metrics"
"k8s.io/component-base/metrics/legacyregistry"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
)
const (
namespace = "apiserver"
subsystem = "certificates_registry"
)
var (
// csrDurationRequested counts and categorizes how many certificates were issued when the client requested a duration.
csrDurationRequested = metrics.NewCounterVec(
&metrics.CounterOpts{
Namespace: namespace,
Subsystem: subsystem,
Name: "csr_requested_duration_total",
Help: "Total number of issued CSRs with a requested duration, sliced by signer (only kubernetes.io signer names are specifically identified)",
StabilityLevel: metrics.ALPHA,
},
[]string{"signerName"},
)
// csrDurationHonored counts and categorizes how many certificates were issued when the client requested a duration and the signer honored it.
csrDurationHonored = metrics.NewCounterVec(
&metrics.CounterOpts{
Namespace: namespace,
Subsystem: subsystem,
Name: "csr_honored_duration_total",
Help: "Total number of issued CSRs with a requested duration that was honored, sliced by signer (only kubernetes.io signer names are specifically identified)",
StabilityLevel: metrics.ALPHA,
},
[]string{"signerName"},
)
)
func init() {
registerMetricsOnce.Do(func() {
legacyregistry.MustRegister(csrDurationRequested)
legacyregistry.MustRegister(csrDurationHonored)
})
}
var registerMetricsOnce sync.Once
type counterVecMetric interface {
WithLabelValues(...string) metrics.CounterMetric
}
func countCSRDurationMetric(requested, honored counterVecMetric) genericregistry.BeginUpdateFunc {
return func(ctx context.Context, obj, old runtime.Object, options *metav1.UpdateOptions) (genericregistry.FinishFunc, error) {
return func(ctx context.Context, success bool) {
if !success {
return // ignore failures
}
if dryrun.IsDryRun(options.DryRun) {
return // ignore things that would not get persisted
}
if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
return
}
oldCSR, ok := old.(*certificates.CertificateSigningRequest)
if !ok {
return
}
// if the old CSR already has a certificate, do not double count it
if len(oldCSR.Status.Certificate) > 0 {
return
}
if oldCSR.Spec.ExpirationSeconds == nil {
return // ignore CSRs that are not using the CSR duration feature
}
newCSR, ok := obj.(*certificates.CertificateSigningRequest)
if !ok {
return
}
issuedCert := newCSR.Status.Certificate
// new CSR has no issued certificate yet so do not count it.
// note that this means that we will ignore CSRs that set a duration
// but never get approved/signed. this is fine because the point
// of these metrics is to understand if the duration is honored
// by the signer. we are not checking the behavior of the approver.
if len(issuedCert) == 0 {
return
}
signer := compressSignerName(oldCSR.Spec.SignerName)
// at this point we know that this CSR is going to be persisted and
// the cert was just issued and the client requested a duration
requested.WithLabelValues(signer).Inc()
certs, err := cert.ParseCertsPEM(issuedCert)
if err != nil {
utilruntime.HandleError(fmt.Errorf("metrics recording failed to parse certificate for CSR %s: %w", oldCSR.Name, err))
return
}
// now we check to see if the signer honored the requested duration
certificate := certs[0]
wantDuration := csr.ExpirationSecondsToDuration(*oldCSR.Spec.ExpirationSeconds)
actualDuration := certificate.NotAfter.Sub(certificate.NotBefore)
if isDurationHonored(wantDuration, actualDuration) {
honored.WithLabelValues(signer).Inc()
}
}, nil
}
}
func isDurationHonored(want, got time.Duration) bool {
delta := want - got
if delta < 0 {
delta = -delta
}
// short-lived cert backdating + 5% of want
maxDelta := 5*time.Minute + (want / 20)
return delta < maxDelta
}
func compressSignerName(name string) string {
if strings.HasPrefix(name, "kubernetes.io/") {
return name
}
return "other"
}

View File

@ -0,0 +1,496 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package storage
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"testing"
"time"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
utilfeature "k8s.io/apiserver/pkg/util/feature"
certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
featuregatetesting "k8s.io/component-base/featuregate/testing"
"k8s.io/component-base/metrics"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
"k8s.io/utils/pointer"
)
func Test_countCSRDurationMetric(t *testing.T) {
caPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
caCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "test-ca"}, caPrivateKey)
if err != nil {
t.Fatal(err)
}
tests := []struct {
name string
disableFeatureGate bool
success bool
obj, old runtime.Object
options *metav1.UpdateOptions
wantSigner string
wantRequested, wantHonored bool
}{
{
name: "cert parse failure",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: []byte("junk"),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "fancy",
ExpirationSeconds: pointer.Int32(77),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: false,
},
{
name: "kube signer honors duration exactly",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: true,
},
{
name: "signer honors duration exactly",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: true,
},
{
name: "signer honors duration but just a little bit less",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour-6*time.Minute, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: true,
},
{
name: "signer honors duration but just a little bit more",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour+6*time.Minute, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: true,
},
{
name: "honors duration lower bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 651*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: true,
},
{
name: "does not honor duration just outside of lower bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 650*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: false,
},
{
name: "honors duration upper bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 1349*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: true,
},
{
name: "does not honor duration just outside of upper bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 1350*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: false,
},
{
name: "failed update is ignored",
success: false,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "dry run is ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{DryRun: []string{"stuff"}},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "no metrics when feature gate is turned off",
disableFeatureGate: true,
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "old CSR already has a cert so it is ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
Status: certificates.CertificateSigningRequestStatus{
Certificate: []byte("junk"),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "CSRs with no duration are ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: nil,
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "unissued CSRs are ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: nil,
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - nil old object",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: nil,
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - nil new object",
success: true,
obj: nil,
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - junk old object",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &corev1.Pod{},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - junk new object",
success: true,
obj: &corev1.Pod{},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
if tt.disableFeatureGate {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
} else {
t.Parallel()
}
testReq := &testCounterVecMetric{}
testHon := &testCounterVecMetric{}
finishFunc, err := countCSRDurationMetric(testReq, testHon)(nil, tt.obj, tt.old, tt.options)
if err != nil {
t.Fatal(err)
}
finishFunc(nil, tt.success)
if got := testReq.signer; tt.wantRequested && tt.wantSigner != got {
t.Errorf("requested signer: want %v, got %v", tt.wantSigner, got)
}
if got := testHon.signer; tt.wantHonored && tt.wantSigner != got {
t.Errorf("honored signer: want %v, got %v", tt.wantSigner, got)
}
if got := testReq.called; tt.wantRequested != got {
t.Errorf("requested inc: want %v, got %v", tt.wantRequested, got)
}
if got := testHon.called; tt.wantHonored != got {
t.Errorf("honored inc: want %v, got %v", tt.wantHonored, got)
}
})
}
}
func createCert(t *testing.T, duration time.Duration, caPrivateKey *ecdsa.PrivateKey, caCert *x509.Certificate) []byte {
t.Helper()
crPublicKey := &caPrivateKey.PublicKey // this is supposed to be public key of the signee but it does not matter for this test
now := time.Now()
tmpl := &x509.Certificate{Subject: pkix.Name{CommonName: "panda"}, SerialNumber: big.NewInt(1234), NotBefore: now, NotAfter: now.Add(duration)}
der, err := x509.CreateCertificate(rand.Reader, tmpl, caCert, crPublicKey, caPrivateKey)
if err != nil {
t.Fatal(err)
}
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
}
type testCounterVecMetric struct {
metrics.CounterMetric
signer string
called bool
}
func (m *testCounterVecMetric) WithLabelValues(lv ...string) metrics.CounterMetric {
if len(lv) != 1 {
panic(lv)
}
if len(m.signer) != 0 {
panic("unexpected multiple WithLabelValues() calls")
}
signer := lv[0]
if len(signer) == 0 {
panic("invalid empty signer")
}
m.signer = signer
return m
}
func (m *testCounterVecMetric) Inc() {
if m.called {
panic("unexpected multiple Inc() calls")
}
m.called = true
}

View File

@ -62,6 +62,7 @@ func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, *StatusREST, *Approva
statusStore := *store
statusStore.UpdateStrategy = csrregistry.StatusStrategy
statusStore.ResetFieldsStrategy = csrregistry.StatusStrategy
statusStore.BeginUpdate = countCSRDurationMetric(csrDurationRequested, csrDurationHonored)
approvalStore := *store
approvalStore.UpdateStrategy = csrregistry.ApprovalStrategy

View File

@ -30,9 +30,11 @@ import (
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/generic"
"k8s.io/apiserver/pkg/storage/names"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/apis/certificates/validation"
"k8s.io/kubernetes/pkg/features"
"sigs.k8s.io/structured-merge-diff/v4/fieldpath"
)
@ -91,10 +93,14 @@ func (csrStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
if extra := user.GetExtra(); len(extra) > 0 {
csr.Spec.Extra = map[string]certificates.ExtraValue{}
for k, v := range extra {
csr.Spec.Extra[k] = certificates.ExtraValue(v)
csr.Spec.Extra[k] = v
}
}
}
// clear expirationSeconds if the CSRDuration feature is disabled
if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
csr.Spec.ExpirationSeconds = nil
}
// Be explicit that users cannot create pre-approved certificate requests.
csr.Status = certificates.CertificateSigningRequestStatus{}

View File

@ -27,14 +27,19 @@ import (
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apiserver/pkg/authentication/user"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
utilfeature "k8s.io/apiserver/pkg/util/feature"
featuregatetesting "k8s.io/component-base/featuregate/testing"
certapi "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
"k8s.io/utils/pointer"
)
func TestStrategyCreate(t *testing.T) {
tests := map[string]struct {
ctx context.Context
obj runtime.Object
expectedObj runtime.Object
ctx context.Context
disableFeatureGate bool
obj runtime.Object
expectedObj runtime.Object
}{
"no user in context, no user in obj": {
ctx: genericapirequest.NewContext(),
@ -112,15 +117,51 @@ func TestStrategyCreate(t *testing.T) {
},
expectedObj: &certapi.CertificateSigningRequest{
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
}},
},
},
"expirationSeconds set with gate enabled": {
ctx: genericapirequest.NewContext(),
obj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: pointer.Int32(1234),
},
},
expectedObj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: pointer.Int32(1234),
},
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
},
},
"expirationSeconds set with gate disabled": {
ctx: genericapirequest.NewContext(),
disableFeatureGate: true,
obj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: pointer.Int32(5678),
},
},
expectedObj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: nil,
},
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
},
},
}
for k, tc := range tests {
obj := tc.obj
Strategy.PrepareForCreate(tc.ctx, obj)
if !reflect.DeepEqual(obj, tc.expectedObj) {
t.Errorf("%s: object diff: %s", k, diff.ObjectDiff(obj, tc.expectedObj))
}
tc := tc
t.Run(k, func(t *testing.T) {
if tc.disableFeatureGate {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
}
obj := tc.obj
Strategy.PrepareForCreate(tc.ctx, obj)
if !reflect.DeepEqual(obj, tc.expectedObj) {
t.Errorf("object diff: %s", diff.ObjectDiff(obj, tc.expectedObj))
}
})
}
}

View File

@ -44,7 +44,7 @@ type CertificateSigningRequest struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, and usages fields can be set on creation.
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
@ -84,6 +84,30 @@ type CertificateSigningRequestSpec struct {
// 6. Whether or not requests for CA certificates are allowed.
SignerName string `json:"signerName" protobuf:"bytes,7,opt,name=signerName"`
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"`
// usages specifies a set of key usages requested in the issued certificate.
//
// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".

View File

@ -36,18 +36,17 @@ type CertificateSigningRequest struct {
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// The certificate request itself and any additional information.
// +optional
Spec CertificateSigningRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
// Derived information about the request.
// +optional
Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}
// This information is immutable after the request is created. Only the Request
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
// CertificateSigningRequestSpec contains the certificate request.
type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
// +listType=atomic
@ -66,6 +65,30 @@ type CertificateSigningRequestSpec struct {
// +optional
SignerName *string `json:"signerName,omitempty" protobuf:"bytes,7,opt,name=signerName"`
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"`
// allowedUsages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

View File

@ -88,6 +88,11 @@ type Config struct {
// SignerName is the name of the certificate signer that should sign certificates
// generated by the manager.
SignerName string
// RequestedCertificateLifetime is the requested lifetime length for certificates generated by the manager.
// Optional.
// This will set the spec.expirationSeconds field on the CSR. Controlling the lifetime of
// the issued certificate is not guaranteed as the signer may choose to ignore the request.
RequestedCertificateLifetime *time.Duration
// Usages is the types of usages that certificates generated by the manager
// can be used for.
Usages []certificates.KeyUsage
@ -184,10 +189,11 @@ type manager struct {
lastRequestCancel context.CancelFunc
lastRequest *x509.CertificateRequest
dynamicTemplate bool
signerName string
usages []certificates.KeyUsage
forceRotation bool
dynamicTemplate bool
signerName string
requestedCertificateLifetime *time.Duration
usages []certificates.KeyUsage
forceRotation bool
certStore Store
@ -230,18 +236,19 @@ func NewManager(config *Config) (Manager, error) {
}
m := manager{
stopCh: make(chan struct{}),
clientsetFn: config.ClientsetFn,
getTemplate: getTemplate,
dynamicTemplate: config.GetTemplate != nil,
signerName: config.SignerName,
usages: config.Usages,
certStore: config.CertificateStore,
cert: cert,
forceRotation: forceRotation,
certificateRotation: config.CertificateRotation,
certificateRenewFailure: config.CertificateRenewFailure,
now: time.Now,
stopCh: make(chan struct{}),
clientsetFn: config.ClientsetFn,
getTemplate: getTemplate,
dynamicTemplate: config.GetTemplate != nil,
signerName: config.SignerName,
requestedCertificateLifetime: config.RequestedCertificateLifetime,
usages: config.Usages,
certStore: config.CertificateStore,
cert: cert,
forceRotation: forceRotation,
certificateRotation: config.CertificateRotation,
certificateRenewFailure: config.CertificateRenewFailure,
now: time.Now,
}
name := config.Name
@ -459,7 +466,7 @@ func (m *manager) rotateCerts() (bool, error) {
// Call the Certificate Signing Request API to get a certificate for the
// new private key.
reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.usages, privateKey)
reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, m.usages, privateKey)
if err != nil {
utilruntime.HandleError(fmt.Errorf("%s: Failed while requesting a signed certificate from the control plane: %v", m.name, err))
if m.certificateRenewFailure != nil {

View File

@ -25,8 +25,6 @@ import (
"reflect"
"time"
"k8s.io/klog/v2"
certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
"k8s.io/apimachinery/pkg/api/errors"
@ -41,12 +39,16 @@ import (
"k8s.io/client-go/tools/cache"
watchtools "k8s.io/client-go/tools/watch"
certutil "k8s.io/client-go/util/cert"
"k8s.io/klog/v2"
"k8s.io/utils/pointer"
)
// RequestCertificate will either use an existing (if this process has run
// before but not to completion) or create a certificate signing request using the
// PEM encoded CSR and send it to API server.
func RequestCertificate(client clientset.Interface, csrData []byte, name string, signerName string, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) {
// PEM encoded CSR and send it to API server. An optional requestedDuration may be passed
// to set the spec.expirationSeconds field on the CSR to control the lifetime of the issued
// certificate. This is not guaranteed as the signer may choose to ignore the request.
func RequestCertificate(client clientset.Interface, csrData []byte, name, signerName string, requestedDuration *time.Duration, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) {
csr := &certificatesv1.CertificateSigningRequest{
// Username, UID, Groups will be injected by API server.
TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"},
@ -62,6 +64,9 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string,
if len(csr.Name) == 0 {
csr.GenerateName = "csr-"
}
if requestedDuration != nil {
csr.Spec.ExpirationSeconds = DurationToExpirationSeconds(*requestedDuration)
}
reqName, reqUID, err = create(client, csr)
switch {
@ -85,6 +90,14 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string,
}
}
func DurationToExpirationSeconds(duration time.Duration) *int32 {
return pointer.Int32(int32(duration / time.Second))
}
func ExpirationSecondsToDuration(expirationSeconds int32) time.Duration {
return time.Duration(expirationSeconds) * time.Second
}
func get(client clientset.Interface, name string) (*certificatesv1.CertificateSigningRequest, error) {
v1req, v1err := client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{})
if v1err == nil || !apierrors.IsNotFound(v1err) {

View File

@ -193,8 +193,8 @@ type CSRSigningControllerConfiguration struct {
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
LegacyUnknownSignerConfiguration CSRSigningConfiguration
// clusterSigningDuration is the length of duration signed certificates
// will be given.
// clusterSigningDuration is the max length of duration signed certificates will be given.
// Individual CSRs may request shorter certs by setting spec.expirationSeconds.
ClusterSigningDuration metav1.Duration
}

View File

@ -33,7 +33,6 @@ import (
"unicode"
"github.com/fatih/camelcase"
"k8s.io/apimachinery/pkg/runtime"
appsv1 "k8s.io/api/apps/v1"
autoscalingv1 "k8s.io/api/autoscaling/v1"
@ -60,6 +59,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/duration"
@ -72,6 +72,7 @@ import (
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/reference"
utilcsr "k8s.io/client-go/util/certificate/csr"
"k8s.io/klog/v2"
"k8s.io/kubectl/pkg/scheme"
"k8s.io/kubectl/pkg/util/certificate"
@ -3690,12 +3691,13 @@ type CertificateSigningRequestDescriber struct {
func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
var (
crBytes []byte
metadata metav1.ObjectMeta
status string
signerName string
username string
events *corev1.EventList
crBytes []byte
metadata metav1.ObjectMeta
status string
signerName string
expirationSeconds *int32
username string
events *corev1.EventList
)
if csr, err := p.client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}); err == nil {
@ -3707,6 +3709,7 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
}
status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
signerName = csr.Spec.SignerName
expirationSeconds = csr.Spec.ExpirationSeconds
username = csr.Spec.Username
if describerSettings.ShowEvents {
events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
@ -3722,6 +3725,7 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
if csr.Spec.SignerName != nil {
signerName = *csr.Spec.SignerName
}
expirationSeconds = csr.Spec.ExpirationSeconds
username = csr.Spec.Username
if describerSettings.ShowEvents {
events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
@ -3735,10 +3739,10 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
return "", fmt.Errorf("Error parsing CSR: %v", err)
}
return describeCertificateSigningRequest(metadata, signerName, username, cr, status, events)
return describeCertificateSigningRequest(metadata, signerName, expirationSeconds, username, cr, status, events)
}
func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string, username string, cr *x509.CertificateRequest, status string, events *corev1.EventList) (string, error) {
func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string, expirationSeconds *int32, username string, cr *x509.CertificateRequest, status string, events *corev1.EventList) (string, error) {
printListHelper := func(w PrefixWriter, prefix, name string, values []string) {
if len(values) == 0 {
return
@ -3758,6 +3762,9 @@ func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string,
if len(signerName) > 0 {
w.Write(LEVEL_0, "Signer:\t%s\n", signerName)
}
if expirationSeconds != nil {
w.Write(LEVEL_0, "Requested Duration:\t%s\n", duration.HumanDuration(utilcsr.ExpirationSecondsToDuration(*expirationSeconds)))
}
w.Write(LEVEL_0, "Status:\t%s\n", status)
w.Write(LEVEL_0, "Subject:\n")

View File

@ -0,0 +1,293 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"os"
"path"
"strings"
"testing"
"time"
"github.com/google/go-cmp/cmp"
certificatesv1 "k8s.io/api/certificates/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/client-go/informers"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/client-go/util/keyutil"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/controller/certificates/signer"
"k8s.io/kubernetes/test/integration/framework"
)
func TestCSRDuration(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
t.Cleanup(cancel)
s := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
t.Cleanup(s.TearDownFn)
// assert that the metrics we collect during the test run match expectations
// we have 7 valid test cases below that request a duration of which 6 should have their duration honored
wantMetricStrings := []string{
`apiserver_certificates_registry_csr_honored_duration_total{signerName="kubernetes.io/kube-apiserver-client"} 6`,
`apiserver_certificates_registry_csr_requested_duration_total{signerName="kubernetes.io/kube-apiserver-client"} 7`,
}
t.Cleanup(func() {
copyConfig := rest.CopyConfig(s.ClientConfig)
copyConfig.GroupVersion = &schema.GroupVersion{}
copyConfig.NegotiatedSerializer = unstructuredscheme.NewUnstructuredNegotiatedSerializer()
rc, err := rest.RESTClientFor(copyConfig)
if err != nil {
t.Fatal(err)
}
body, err := rc.Get().AbsPath("/metrics").DoRaw(ctx)
if err != nil {
t.Fatal(err)
}
var gotMetricStrings []string
for _, line := range strings.Split(string(body), "\n") {
if strings.HasPrefix(line, "apiserver_certificates_registry_") {
gotMetricStrings = append(gotMetricStrings, line)
}
}
if diff := cmp.Diff(wantMetricStrings, gotMetricStrings); diff != "" {
t.Errorf("unexpected metrics diff (-want +got): %s", diff)
}
})
client := clientset.NewForConfigOrDie(s.ClientConfig)
informerFactory := informers.NewSharedInformerFactory(client, 0)
caPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
caCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "test-ca"}, caPrivateKey)
if err != nil {
t.Fatal(err)
}
caPublicKeyFile := path.Join(s.TmpDir, "test-ca-public-key")
if err := ioutil.WriteFile(caPublicKeyFile, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw}), os.FileMode(0600)); err != nil {
t.Fatal(err)
}
caPrivateKeyBytes, err := keyutil.MarshalPrivateKeyToPEM(caPrivateKey)
if err != nil {
t.Fatal(err)
}
caPrivateKeyFile := path.Join(s.TmpDir, "test-ca-private-key")
if err := ioutil.WriteFile(caPrivateKeyFile, caPrivateKeyBytes, os.FileMode(0600)); err != nil {
t.Fatal(err)
}
c, err := signer.NewKubeAPIServerClientCSRSigningController(client, informerFactory.Certificates().V1().CertificateSigningRequests(), caPublicKeyFile, caPrivateKeyFile, 24*time.Hour)
if err != nil {
t.Fatal(err)
}
stopCh := make(chan struct{})
t.Cleanup(func() {
close(stopCh)
})
informerFactory.Start(stopCh)
go c.Run(1, stopCh)
tests := []struct {
name, csrName string
duration, wantDuration time.Duration
wantError string
}{
{
name: "no duration set",
duration: 0,
wantDuration: 24 * time.Hour,
wantError: "",
},
{
name: "same duration set as certTTL",
duration: 24 * time.Hour,
wantDuration: 24 * time.Hour,
wantError: "",
},
{
name: "longer duration than certTTL",
duration: 48 * time.Hour,
wantDuration: 24 * time.Hour,
wantError: "",
},
{
name: "slightly shorter duration set",
duration: 20 * time.Hour,
wantDuration: 20 * time.Hour,
wantError: "",
},
{
name: "even shorter duration set",
duration: 10 * time.Hour,
wantDuration: 10 * time.Hour,
wantError: "",
},
{
name: "short duration set",
duration: 2 * time.Hour,
wantDuration: 2*time.Hour + 5*time.Minute,
wantError: "",
},
{
name: "very short duration set",
duration: 30 * time.Minute,
wantDuration: 30*time.Minute + 5*time.Minute,
wantError: "",
},
{
name: "shortest duration set",
duration: 10 * time.Minute,
wantDuration: 10*time.Minute + 5*time.Minute,
wantError: "",
},
{
name: "just too short duration set",
csrName: "invalid-csr-001",
duration: 10*time.Minute - time.Second,
wantDuration: 0,
wantError: `cannot create certificate signing request: ` +
`CertificateSigningRequest.certificates.k8s.io "invalid-csr-001" is invalid: spec.expirationSeconds: Invalid value: 599: may not specify a duration less than 600 seconds (10 minutes)`,
},
{
name: "really too short duration set",
csrName: "invalid-csr-002",
duration: 3 * time.Minute,
wantDuration: 0,
wantError: `cannot create certificate signing request: ` +
`CertificateSigningRequest.certificates.k8s.io "invalid-csr-002" is invalid: spec.expirationSeconds: Invalid value: 180: may not specify a duration less than 600 seconds (10 minutes)`,
},
{
name: "negative duration set",
csrName: "invalid-csr-003",
duration: -7 * time.Minute,
wantDuration: 0,
wantError: `cannot create certificate signing request: ` +
`CertificateSigningRequest.certificates.k8s.io "invalid-csr-003" is invalid: spec.expirationSeconds: Invalid value: -420: may not specify a duration less than 600 seconds (10 minutes)`,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
csrData, err := certutil.MakeCSR(privateKey, &pkix.Name{CommonName: "panda"}, nil, nil)
if err != nil {
t.Fatal(err)
}
csrName, csrUID, errReq := csr.RequestCertificate(client, csrData, tt.csrName, certificatesv1.KubeAPIServerClientSignerName,
durationPtr(tt.duration), []certificatesv1.KeyUsage{certificatesv1.UsageClientAuth}, privateKey)
if diff := cmp.Diff(tt.wantError, errStr(errReq)); len(diff) > 0 {
t.Fatalf("CSR input duration %v err diff (-want, +got):\n%s", tt.duration, diff)
}
if len(tt.wantError) > 0 {
return
}
csrObj, err := client.CertificatesV1().CertificateSigningRequests().Get(ctx, csrName, metav1.GetOptions{})
if err != nil {
t.Fatal(err)
}
csrObj.Status.Conditions = []certificatesv1.CertificateSigningRequestCondition{
{
Type: certificatesv1.CertificateApproved,
Status: v1.ConditionTrue,
Reason: "TestCSRDuration",
Message: t.Name(),
},
}
_, err = client.CertificatesV1().CertificateSigningRequests().UpdateApproval(ctx, csrName, csrObj, metav1.UpdateOptions{})
if err != nil {
t.Fatal(err)
}
certData, err := csr.WaitForCertificate(ctx, client, csrName, csrUID)
if err != nil {
t.Fatal(err)
}
certs, err := certutil.ParseCertsPEM(certData)
if err != nil {
t.Fatal(err)
}
switch l := len(certs); l {
case 1:
// good
default:
t.Errorf("expected 1 cert, got %d", l)
for i, certificate := range certs {
t.Log(i, dynamiccertificates.GetHumanCertDetail(certificate))
}
t.FailNow()
}
cert := certs[0]
if got := cert.NotAfter.Sub(cert.NotBefore); got != tt.wantDuration {
t.Errorf("CSR input duration %v got duration = %v, want %v\n%s", tt.duration, got, tt.wantDuration, dynamiccertificates.GetHumanCertDetail(cert))
}
})
}
}
func durationPtr(duration time.Duration) *time.Duration {
if duration == 0 {
return nil
}
return &duration
}
func errStr(err error) string {
if err == nil {
return ""
}
es := err.Error()
if len(es) == 0 {
panic("invalid empty error")
}
return es
}