Documentation
¶
Overview ¶
Package csrapproval handles validation for CSR approval requests.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsNodeClientCert ¶
func IsNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool
IsNodeClientCert recognizes client certificates
func IsNodeServerCert ¶
func IsNodeServerCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool
IsNodeServerCert recognizes server certificates
Types ¶
type Context ¶
type Context struct {
// Set of Validators to be attempted.
Vs []Validator
// Kubernetes API client
Client clientset.Interface
}
Context is the set of validators that are evaluated for each Certificate Signing Request.
func (*Context) HandleCSR ¶
func (vc *Context) HandleCSR(csr *capi.CertificateSigningRequest) error
HandleCSR runs the certificate validation workflow.
For each new CSR, HandleCSR will attempt to find a validator that can handle each CSR by calling v.Recognize(csr).
If a validator is found, then the following checks are performed:
- v.Validate(csr): Validate the SAN, IP address in the certificate.
- SubjectAccessReview to ensure that the subject of the certificate has the Permission give in Options.Permission on the API server.
- v.PreApproveHoook(csr) completes without error.
If all of these are true, then the CSR is marked approved; or false otherwise.
If there is an error at any step, this validation should be attempted again by calling HandleCSR(csr) later.
If no Validator is Recognize()'d, this CSR is ignored.
type Options ¶
type Options struct {
// Name for this validator, used in logging.
Name string
// Metrics Label
Label string
// Message to set when CSR is approved/denied
ApproveMsg string
DenyMsg string
// Subject Access Review Permissions
Permission authorization.ResourceAttributes
}
Options to be returned by validator. the Options() Validator function is implemented for you, so just embedding this struct ought to be sufficient
type Validator ¶
type Validator interface {
// Return common parameters for this validator. See definition.
Opts() Options
// Should this request be handled by *this* Validator?. Others will be
// attempted if you return false here.
Recognize(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool
// If Recognize()'d, then validate the contents of the CSR.
// For example, verify that the IP addresses or host names are
// permitted by the requestor.
Validate(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) (bool, error)
// Hook function that is called after Validate() is sucessful,
// but before final approval. If this function returns an error,
// this CSR will be retried.
PreApproveHook(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) error
}
Validator represents a workflow to handle a CSR.
HandleCSR processes certficate requests according to the decisions made with this interface. See below for details.
Source Files