certificates: update controllers to understand signerName field

Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
2026-01-13 11:25:19 +00:00 · 2020-02-17 23:06:02 +00:00
parent d7e10f9869
commit d5dae04898
13 changed files with 555 additions and 128 deletions
--- a/pkg/controller/certificates/signer/signer.go
+++ b/pkg/controller/certificates/signer/signer.go
@@ -19,8 +19,10 @@ package signer

 import (
 	"context"
+	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"strings"
 	"time"

 	capi "k8s.io/api/certificates/v1beta1"
@@ -89,13 +91,31 @@ func newSigner(caFile, caKeyFile string, client clientset.Interface, certificate
 }

 func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
+	// Ignore unapproved requests
 	if !certificates.IsCertificateRequestApproved(csr) {
 		return nil
 	}
-	csr, err := s.sign(csr)
+
+	// Fast-path to avoid any additional processing if the CSRs signerName does
+	// not have a 'kubernetes.io/' prefix.
+	if !strings.HasPrefix(*csr.Spec.SignerName, "kubernetes.io/") {
+		return nil
+	}
+
+	x509cr, err := capihelper.ParseCSR(csr.Spec.Request)
+	if err != nil {
+		return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
+	}
+	if !requestValidForSignerName(x509cr, csr.Spec.Usages, *csr.Spec.SignerName) {
+		// TODO: mark the CertificateRequest as being in a terminal state and
+		//  communicate to the user why the request has been refused.
+		return nil
+	}
+	cert, err := s.sign(x509cr, csr.Spec.Usages)
 	if err != nil {
 		return fmt.Errorf("error auto signing csr: %v", err)
 	}
+	csr.Status.Certificate = cert
 	_, err = s.client.CertificatesV1beta1().CertificateSigningRequests().UpdateStatus(context.TODO(), csr, metav1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("error updating signature for csr: %v", err)
@@ -103,23 +123,50 @@ func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
 	return nil
 }

-func (s *signer) sign(csr *capi.CertificateSigningRequest) (*capi.CertificateSigningRequest, error) {
-	x509cr, err := capihelper.ParseCSR(csr.Spec.Request)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
-	}
-
+func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage) ([]byte, error) {
 	currCA, err := s.caProvider.currentCA()
 	if err != nil {
 		return nil, err
 	}
 	der, err := currCA.Sign(x509cr.Raw, authority.PermissiveSigningPolicy{
 		TTL:    s.certTTL,
-		Usages: csr.Spec.Usages,
+		Usages: usages,
 	})
 	if err != nil {
 		return nil, err
 	}
-	csr.Status.Certificate = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
-	return csr, nil
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), nil
+}
+
+func requestValidForSignerName(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) bool {
+	// Only handle CSRs with the specific known signerNames.
+	switch signerName {
+	case capi.KubeletServingSignerName:
+		return capihelper.IsKubeletServingCSR(req, usages)
+	case capi.KubeAPIServerClientKubeletSignerName:
+		return capihelper.IsKubeletClientCSR(req, usages)
+	case capi.KubeAPIServerClientSignerName:
+		return validAPIServerClientUsages(usages)
+	case capi.LegacyUnknownSignerName:
+		// No restrictions are applied to the legacy-unknown signerName to
+		// maintain backward compatibility in v1beta1.
+		return true
+	default:
+		return false
+	}
+}
+
+func validAPIServerClientUsages(usages []capi.KeyUsage) bool {
+	hasClientAuth := false
+	for _, u := range usages {
+		switch u {
+		// these usages are optional
+		case capi.UsageDigitalSignature, capi.UsageKeyEncipherment:
+		case capi.UsageClientAuth:
+			hasClientAuth = true
+		default:
+			return false
+		}
+	}
+	return hasClientAuth
 }