Merge pull request kubernetes#90191 from liggitt/csr-status

CSR condition status, lastTransitionTime, versioned validation

Author: k8s-ci-robot

api/openapi-spec/swagger.json

@@ -16,6 +16,7 @@ go_library(
     ],
     importpath = "k8s.io/kubernetes/pkg/apis/certificates",
     deps = [
+        "//pkg/apis/core:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",

pkg/apis/certificates/BUILD

@@ -16,7 +16,10 @@ limitations under the License.
 
 package certificates
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	api "k8s.io/kubernetes/pkg/apis/core"
+)
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
@@ -72,6 +75,28 @@ type CertificateSigningRequestSpec struct {
 	Extra map[string]ExtraValue
 }
 
+// Built in signerName values that are honoured by kube-controller-manager.
+// None of these usages are related to ServiceAccount token secrets
+// `.data[ca.crt]` in any way.
+const (
+	// Signs certificates that will be honored as client-certs by the
+	// kube-apiserver. Never auto-approved by kube-controller-manager.
+	KubeAPIServerClientSignerName = "kubernetes.io/kube-apiserver-client"
+
+	// Signs client certificates that will be honored as client-certs by the
+	// kube-apiserver for a kubelet.
+	// May be auto-approved by kube-controller-manager.
+	KubeAPIServerClientKubeletSignerName = "kubernetes.io/kube-apiserver-client-kubelet"
+
+	// Signs serving certificates that are honored as a valid kubelet serving
+	// certificate by the kube-apiserver, but has no other guarantees.
+	KubeletServingSignerName = "kubernetes.io/kubelet-serving"
+
+	// Has no guarantees for trust at all. Some distributions may honor these
+	// as client certs, but that behavior is not standard kubernetes behavior.
+	LegacyUnknownSignerName = "kubernetes.io/legacy-unknown"
+)
+
 // ExtraValue masks the value so protobuf can generate
 type ExtraValue []string
 
@@ -91,11 +116,17 @@ type RequestConditionType string
 const (
 	CertificateApproved RequestConditionType = "Approved"
 	CertificateDenied   RequestConditionType = "Denied"
+	CertificateFailed   RequestConditionType = "Failed"
 )
 
 type CertificateSigningRequestCondition struct {
-	// request approval state, currently Approved or Denied.
+	// type of the condition. Known conditions include "Approved", "Denied", and "Failed".
 	Type RequestConditionType
+	// Status of the condition, one of True, False, Unknown.
+	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
+	// If unset, should be treated as "True".
+	// +optional
+	Status api.ConditionStatus
 	// brief reason for the request state
 	// +optional
 	Reason string
@@ -105,6 +136,9 @@ type CertificateSigningRequestCondition struct {
 	// timestamp for the last update to this condition
 	// +optional
 	LastUpdateTime metav1.Time
+	// lastTransitionTime is the time the condition last transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/apis/certificates/types.go

@@ -20,7 +20,9 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/apis/certificates/v1beta1",
     deps = [
         "//pkg/apis/certificates:go_default_library",
+        "//pkg/apis/core:go_default_library",
         "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",

pkg/apis/certificates/v1beta1/BUILD

@@ -18,10 +18,12 @@ package v1beta1
 
 import (
 	"crypto/x509"
+	"fmt"
 	"reflect"
 	"strings"
 
 	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
@@ -41,6 +43,12 @@ func SetDefaults_CertificateSigningRequestSpec(obj *certificatesv1beta1.Certific
 	}
 }
 
+func SetDefaults_CertificateSigningRequestCondition(obj *certificatesv1beta1.CertificateSigningRequestCondition) {
+	if len(obj.Status) == 0 {
+		obj.Status = v1.ConditionTrue
+	}
+}
+
 // DefaultSignerNameFromSpec will determine the signerName that should be set
 // by attempting to inspect the 'request' content and the spec options.
 func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningRequestSpec) string {
@@ -59,18 +67,34 @@ func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningReques
 	}
 }
 
+var (
+	organizationNotSystemNodesErr = fmt.Errorf("subject organization is not system:nodes")
+	commonNameNotSystemNode       = fmt.Errorf("subject common name does not begin with system:node:")
+	dnsOrIPSANRequiredErr         = fmt.Errorf("DNS or IP subjectAltName is required")
+	dnsSANNotAllowedErr           = fmt.Errorf("DNS subjectAltNames are not allowed")
+	emailSANNotAllowedErr         = fmt.Errorf("Email subjectAltNames are not allowed")
+	ipSANNotAllowedErr            = fmt.Errorf("IP subjectAltNames are not allowed")
+	uriSANNotAllowedErr           = fmt.Errorf("URI subjectAltNames are not allowed")
+)
+
 func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool {
+	return ValidateKubeletServingCSR(req, usages) == nil
+}
+func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) error {
 	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
-		return false
+		return organizationNotSystemNodesErr
 	}
 
 	// at least one of dnsNames or ipAddresses must be specified
 	if len(req.DNSNames) == 0 && len(req.IPAddresses) == 0 {
-		return false
+		return dnsOrIPSANRequiredErr
 	}
 
-	if len(req.EmailAddresses) > 0 || len(req.URIs) > 0 {
-		return false
+	if len(req.EmailAddresses) > 0 {
+		return emailSANNotAllowedErr
+	}
+	if len(req.URIs) > 0 {
+		return uriSANNotAllowedErr
 	}
 
 	requiredUsages := []certificatesv1beta1.KeyUsage{
@@ -79,27 +103,39 @@ func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1be
 		certificatesv1beta1.UsageServerAuth,
 	}
 	if !equalUnsorted(requiredUsages, usages) {
-		return false
+		return fmt.Errorf("usages did not match %v", requiredUsages)
 	}
 
 	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
-		return false
+		return commonNameNotSystemNode
 	}
 
-	return true
+	return nil
 }
 
 func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool {
+	return ValidateKubeletClientCSR(req, usages) == nil
+}
+func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) error {
 	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
-		return false
+		return organizationNotSystemNodesErr
 	}
 
-	if len(req.DNSNames) > 0 || len(req.EmailAddresses) > 0 || len(req.IPAddresses) > 0 || len(req.URIs) > 0 {
-		return false
+	if len(req.DNSNames) > 0 {
+		return dnsSANNotAllowedErr
+	}
+	if len(req.EmailAddresses) > 0 {
+		return emailSANNotAllowedErr
+	}
+	if len(req.IPAddresses) > 0 {
+		return ipSANNotAllowedErr
+	}
+	if len(req.URIs) > 0 {
+		return uriSANNotAllowedErr
 	}
 
 	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
-		return false
+		return commonNameNotSystemNode
 	}
 
 	requiredUsages := []certificatesv1beta1.KeyUsage{
@@ -108,10 +144,10 @@ func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1bet
 		certificatesv1beta1.UsageClientAuth,
 	}
 	if !equalUnsorted(requiredUsages, usages) {
-		return false
+		return fmt.Errorf("usages did not match %v", requiredUsages)
 	}
 
-	return true
+	return nil
 }
 
 // equalUnsorted compares two []string for equality of contents regardless of

pkg/apis/certificates/v1beta1/defaults.go

@@ -12,9 +12,16 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/apis/certificates/validation",
     deps = [
         "//pkg/apis/certificates:go_default_library",
+        "//pkg/apis/certificates/v1beta1:go_default_library",
         "//pkg/apis/core/validation:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
+        "//staging/src/k8s.io/client-go/util/cert:go_default_library",
     ],
 )
 
@@ -37,7 +44,11 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/certificates:go_default_library",
+        "//pkg/apis/certificates/v1beta1:go_default_library",
+        "//pkg/apis/core:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],
 )