Documentation
¶
Index ¶
Constants ¶
const ( ControllerName = "ovnkube-csr-approver-controller" NamePrefix = "system:ovn-node" MaxDuration = time.Hour * 24 * 365 )
Variables ¶
var ( DefaultCSRAcceptanceCondition = CSRAcceptanceCondition{ CommonNamePrefix: NamePrefix, Organizations: []string{"system:ovn-nodes"}, Groups: []string{"system:nodes", "system:ovn-nodes", "system:authenticated"}, UserPrefixes: []string{"system:node", NamePrefix}, Default: true, } Usages = sets.New[certificatesv1.KeyUsage]( certificatesv1.UsageDigitalSignature, certificatesv1.UsageClientAuth) )
var Predicate = predicate.Funcs{ CreateFunc: func(e event.CreateEvent) bool { return true }, UpdateFunc: func(e event.UpdateEvent) bool { return true }, DeleteFunc: func(e event.DeleteEvent) bool { return false }, }
Functions ¶
This section is empty.
Types ¶
type CSRAcceptanceCondition ¶
type CSRAcceptanceCondition struct {
// CommonNamePrefix specifies common name in target CSRs
CommonNamePrefix string `json:"commonNamePrefix"`
// Organization specifies Organization in target CSRs
Organizations []string `json:"organizations"`
// Groups specifies groups in target CSRs
Groups []string `json:"groups"`
// UserPrefixes specifies prefix of user field in target CSRs
UserPrefixes []string `json:"userPrefixes"`
// Default should be true if the target CSR is for ovn-node
Default bool
// contains filtered or unexported fields
}
CSRAcceptanceCondition specifies conditions which CSRs are approved by csrapprover. csrapprover will check these condition and decide to approve by following rules: - CSRs with a CommonName that does not start with "CommonNamePrefix" are ignored - CSRs with .Spec.SignerName not equal to kubernetes.io/kube-apiserver-client are ignored - CSRs .Spec.Username has a format of <prefix>:<nodeName> where <prefix> must exist in "UserPrefixes" - The node name extracted from .Spec.Username is a valid DNS subdomain - The .Spec.Usages in the CSR matches the "usages" value in the controller - All elements in .Spec.Groups in the CSR exist in the "Groups" - The .Spec.ExpirationSeconds is set and is not higher than "maxDuration" - The parsed CSR in .Spec.Request has a .Subject.Organization equal to "organization" - The parsed CSR in .Spec.Request has a .Subject.CommonName in the format of "<commonNamePrefix>:<nodeName>", where the nodeName value is extracted from .Spec.Username.
func InitCSRAcceptanceConditions ¶
func InitCSRAcceptanceConditions(fileName string) (conditions []CSRAcceptanceCondition, err error)
InitCSRAcceptanceConditions initializes CSRAcceptanceCondition: Load json from fileName and add default CSRAcceptanceCondition
type OVNKubeCSRController ¶
type OVNKubeCSRController struct {
// contains filtered or unexported fields
}
OVNKubeCSRController approves certificate signing requests (CSRs) by applying the conditions, which is defined in CSRAcceptanceCondition.
func NewController ¶
func NewController(client crclient.Client, csrAcceptanceConditions []CSRAcceptanceCondition, usages sets.Set[certificatesv1.KeyUsage], maxDuration time.Duration, recorder record.EventRecorder) *OVNKubeCSRController
NewController creates a new OVNKubeCSRController
Source Files