-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add FilterCN function to prevent SAN Stuffing
Wire up a node watch to collect addresses of server nodes, to prevent adding unauthorized SANs to the dynamiclistener cert. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
- Loading branch information
Showing
11 changed files
with
100 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
package cluster | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/k3s-io/k3s/pkg/util" | ||
controllerv1 "github.com/rancher/wrangler/pkg/generated/controllers/core/v1" | ||
"github.com/sirupsen/logrus" | ||
v1 "k8s.io/api/core/v1" | ||
) | ||
|
||
func registerAddressHandlers(ctx context.Context, c *Cluster) { | ||
nodes := c.config.Runtime.Core.Core().V1().Node() | ||
a := &addressesHandler{ | ||
nodeController: nodes, | ||
allowed: map[string]bool{}, | ||
} | ||
|
||
for _, cn := range c.config.SANs { | ||
a.allowed[cn] = true | ||
} | ||
|
||
logrus.Infof("Starting dynamiclistener CN filter node controller") | ||
nodes.OnChange(ctx, "server-cn-filter", a.sync) | ||
c.cnFilterFunc = a.filterCN | ||
} | ||
|
||
type addressesHandler struct { | ||
nodeController controllerv1.NodeController | ||
allowed map[string]bool | ||
} | ||
|
||
// filterCN filters a list of potential server CNs (hostnames or IPs), removing any which do not correspond to | ||
// valid cluster servers (control-plane or etcd), or an address explicitly added via the tls-san option. | ||
func (a *addressesHandler) filterCN(cns ...string) []string { | ||
if !a.nodeController.Informer().HasSynced() { | ||
return cns | ||
} | ||
|
||
filteredCNs := make([]string, 0, len(cns)) | ||
for _, cn := range cns { | ||
if a.allowed[cn] { | ||
filteredCNs = append(filteredCNs, cn) | ||
} else { | ||
logrus.Debugf("CN filter controller rejecting certificate CN: %s", cn) | ||
} | ||
} | ||
return filteredCNs | ||
} | ||
|
||
// sync updates the allowed address list to include addresses for the node | ||
func (a *addressesHandler) sync(key string, node *v1.Node) (*v1.Node, error) { | ||
if node != nil { | ||
if node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "" { | ||
for _, address := range node.Status.Addresses { | ||
a.allowed[address.String()] = true | ||
} | ||
} | ||
} | ||
return node, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
package util | ||
|
||
const ( | ||
MasterRoleLabelKey = "node-role.kubernetes.io/master" | ||
ControlPlaneRoleLabelKey = "node-role.kubernetes.io/control-plane" | ||
ETCDRoleLabelKey = "node-role.kubernetes.io/etcd" | ||
) |