From fc610f0941f4603ae25c4ce6ff8879a7d03c54a4 Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Wed, 7 Feb 2024 14:08:20 +0100 Subject: [PATCH] kubeadm: use current-context when validating kubelet kubeconfig During initialization `kubeadm init` creates kubelet.conf with specified name and during finalize phase validates that this kubeconfig is not corrupted by checking for presence of specific authinfo However: * kubelet doesn't require a specific name for this context * in external CA mode this kubeconfig can be created outside of `kubeadm init` This change updates kubeadm finalize stage to avoid overly strict context check. --- cmd/kubeadm/app/cmd/phases/init/kubeletfinalize.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/cmd/phases/init/kubeletfinalize.go b/cmd/kubeadm/app/cmd/phases/init/kubeletfinalize.go index db72b541e83..837c8dc70d3 100644 --- a/cmd/kubeadm/app/cmd/phases/init/kubeletfinalize.go +++ b/cmd/kubeadm/app/cmd/phases/init/kubeletfinalize.go @@ -114,7 +114,17 @@ func runKubeletFinalizeCertRotation(c workflow.RunData) error { } // Perform basic validation. The errors here can only happen if the kubelet.conf was corrupted. - userName := fmt.Sprintf("%s%s", kubeadmconstants.NodesUserPrefix, cfg.NodeRegistration.Name) + if len(kubeconfig.CurrentContext) == 0 { + return errors.Errorf("the file %q does not have current context set", kubeconfigPath) + } + currentContext, ok := kubeconfig.Contexts[kubeconfig.CurrentContext] + if !ok { + return errors.Errorf("the file %q is not a valid kubeconfig: %q set as current-context, but not found in context list", kubeconfigPath, kubeconfig.CurrentContext) + } + userName := currentContext.AuthInfo + if len(userName) == 0 { + return errors.Errorf("the file %q is not a valid kubeconfig: empty username for current context", kubeconfigPath) + } info, ok := kubeconfig.AuthInfos[userName] if !ok { return errors.Errorf("the file %q does not contain authentication for user %q", kubeconfigPath, cfg.NodeRegistration.Name)