csrapprover

package
v0.0.0-...-c6fb7fd Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ControllerName = "ovnkube-csr-approver-controller"
	NamePrefix     = "system:ovn-node"
	MaxDuration    = time.Hour * 24 * 365
)

Variables

View Source
var (
	DefaultCSRAcceptanceCondition = CSRAcceptanceCondition{
		CommonNamePrefix: NamePrefix,
		Organizations:    []string{"system:ovn-nodes"},
		Groups:           []string{"system:nodes", "system:ovn-nodes", "system:authenticated"},
		UserPrefixes:     []string{"system:node", NamePrefix},
		Default:          true,
	}
	Usages = sets.New[certificatesv1.KeyUsage](
		certificatesv1.UsageDigitalSignature,
		certificatesv1.UsageClientAuth)
)
View Source
var Predicate = predicate.Funcs{
	CreateFunc: func(e event.CreateEvent) bool {
		return true
	},
	UpdateFunc: func(e event.UpdateEvent) bool {
		return true
	},
	DeleteFunc: func(e event.DeleteEvent) bool {

		return false
	},
}

Functions

This section is empty.

Types

type CSRAcceptanceCondition

type CSRAcceptanceCondition struct {
	// CommonNamePrefix specifies common name in target CSRs
	CommonNamePrefix string `json:"commonNamePrefix"`
	// Organization specifies Organization in target CSRs
	Organizations []string `json:"organizations"`
	// Groups specifies groups in target CSRs
	Groups []string `json:"groups"`
	// UserPrefixes specifies prefix of user field in target CSRs
	UserPrefixes []string `json:"userPrefixes"`
	// Default should be true if the target CSR is for ovn-node
	Default bool
	// contains filtered or unexported fields
}

CSRAcceptanceCondition specifies conditions which CSRs are approved by csrapprover. csrapprover will check these condition and decide to approve by following rules: - CSRs with a CommonName that does not start with "CommonNamePrefix" are ignored - CSRs with .Spec.SignerName not equal to kubernetes.io/kube-apiserver-client are ignored - CSRs .Spec.Username has a format of <prefix>:<nodeName> where <prefix> must exist in "UserPrefixes" - The node name extracted from .Spec.Username is a valid DNS subdomain - The .Spec.Usages in the CSR matches the "usages" value in the controller - All elements in .Spec.Groups in the CSR exist in the "Groups" - The .Spec.ExpirationSeconds is set and is not higher than "maxDuration" - The parsed CSR in .Spec.Request has a .Subject.Organization equal to "organization" - The parsed CSR in .Spec.Request has a .Subject.CommonName in the format of "<commonNamePrefix>:<nodeName>", where the nodeName value is extracted from .Spec.Username.

func InitCSRAcceptanceConditions

func InitCSRAcceptanceConditions(fileName string) (conditions []CSRAcceptanceCondition, err error)

InitCSRAcceptanceConditions initializes CSRAcceptanceCondition: Load json from fileName and add default CSRAcceptanceCondition

type OVNKubeCSRController

type OVNKubeCSRController struct {
	// contains filtered or unexported fields
}

OVNKubeCSRController approves certificate signing requests (CSRs) by applying the conditions, which is defined in CSRAcceptanceCondition.

func NewController

func NewController(client crclient.Client,
	csrAcceptanceConditions []CSRAcceptanceCondition,
	usages sets.Set[certificatesv1.KeyUsage],
	maxDuration time.Duration,
	recorder record.EventRecorder) *OVNKubeCSRController

NewController creates a new OVNKubeCSRController

func (*OVNKubeCSRController) Reconcile

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL