zouy414
diff --git a/‎pkg/controller/certificates/BUILD‎
Lines changed: 1 addition & 0 deletions b/‎pkg/controller/certificates/BUILD‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/controller/certificates/approver/sarapprove.go‎
Lines changed: 4 additions & 38 deletions b/‎pkg/controller/certificates/approver/sarapprove.go‎
Lines changed: 4 additions & 38 deletions
diff --git a/‎pkg/controller/certificates/approver/sarapprove_test.go‎
Lines changed: 22 additions & 61 deletions b/‎pkg/controller/certificates/approver/sarapprove_test.go‎
Lines changed: 22 additions & 61 deletions
diff --git a/‎pkg/controller/certificates/certificate_controller.go‎
Lines changed: 10 additions & 1 deletion b/‎pkg/controller/certificates/certificate_controller.go‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎pkg/controller/certificates/signer/BUILD‎
Lines changed: 3 additions & 0 deletions b/‎pkg/controller/certificates/signer/BUILD‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/controller/certificates/signer/signer.go‎
Lines changed: 57 additions & 10 deletions b/‎pkg/controller/certificates/signer/signer.go‎
Lines changed: 57 additions & 10 deletions
@@ -13,6 +13,7 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/controller/certificates",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/apis/certificates/v1beta1:go_default_library",
         "//pkg/controller:go_default_library",
         "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
 
@@ -21,14 +21,13 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
-	"reflect"
-	"strings"
 
 	authorization "k8s.io/api/authorization/v1"
 	capi "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	certificatesinformers "k8s.io/client-go/informers/certificates/v1beta1"
 	clientset "k8s.io/client-go/kubernetes"
+
 	capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 	"k8s.io/kubernetes/pkg/controller/certificates"
 )
@@ -146,45 +145,12 @@ func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string
 	})
 }
 
-func hasExactUsages(csr *capi.CertificateSigningRequest, usages []capi.KeyUsage) bool {
-	if len(usages) != len(csr.Spec.Usages) {
-		return false
-	}
-
-	usageMap := map[capi.KeyUsage]struct{}{}
-	for _, u := range usages {
-		usageMap[u] = struct{}{}
-	}
-
-	for _, u := range csr.Spec.Usages {
-		if _, ok := usageMap[u]; !ok {
-			return false
-		}
-	}
-
-	return true
-}
-
-var kubeletClientUsages = []capi.KeyUsage{
-	capi.UsageKeyEncipherment,
-	capi.UsageDigitalSignature,
-	capi.UsageClientAuth,
-}
-
 func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
-	if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
-		return false
-	}
-	if len(x509cr.DNSNames) > 0 || len(x509cr.EmailAddresses) > 0 || len(x509cr.IPAddresses) > 0 || len(x509cr.URIs) > 0 {
+	isClientCSR := capihelper.IsKubeletClientCSR(x509cr, csr.Spec.Usages)
+	if !isClientCSR {
 		return false
 	}
-	if !hasExactUsages(csr, kubeletClientUsages) {
-		return false
-	}
-	if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
-		return false
-	}
-	return true
+	return *csr.Spec.SignerName == capi.KubeAPIServerClientKubeletSignerName
 }
 
 func isSelfNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
 
@@ -36,54 +36,6 @@ import (
 	k8s_certificates_v1beta1 "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 )
 
-func TestHasKubeletUsages(t *testing.T) {
-	cases := []struct {
-		usages   []capi.KeyUsage
-		expected bool
-	}{
-		{
-			usages:   nil,
-			expected: false,
-		},
-		{
-			usages:   []capi.KeyUsage{},
-			expected: false,
-		},
-		{
-			usages: []capi.KeyUsage{
-				capi.UsageKeyEncipherment,
-				capi.UsageDigitalSignature,
-			},
-			expected: false,
-		},
-		{
-			usages: []capi.KeyUsage{
-				capi.UsageKeyEncipherment,
-				capi.UsageDigitalSignature,
-				capi.UsageServerAuth,
-			},
-			expected: false,
-		},
-		{
-			usages: []capi.KeyUsage{
-				capi.UsageKeyEncipherment,
-				capi.UsageDigitalSignature,
-				capi.UsageClientAuth,
-			},
-			expected: true,
-		},
-	}
-	for _, c := range cases {
-		if hasExactUsages(&capi.CertificateSigningRequest{
-			Spec: capi.CertificateSigningRequestSpec{
-				Usages: c.usages,
-			},
-		}, kubeletClientUsages) != c.expected {
-			t.Errorf("unexpected result of hasKubeletUsages(%v), expecting: %v", c.usages, c.expected)
-		}
-	}
-}
-
 func TestHandle(t *testing.T) {
 	cases := []struct {
 		allowed    bool
@@ -208,6 +160,12 @@ func TestRecognizers(t *testing.T) {
 		func(b *csrBuilder) {
 			b.usages = append(b.usages, capi.UsageServerAuth)
 		},
+		func(b *csrBuilder) {
+			b.signerName = "example.com/not-correct"
+		},
+		func(b *csrBuilder) {
+			b.signerName = capi.KubeletServingSignerName
+		},
 	}
 
 	testRecognizer(t, badCases, isNodeClientCert, false)
@@ -230,9 +188,10 @@ func TestRecognizers(t *testing.T) {
 func testRecognizer(t *testing.T, cases []func(b *csrBuilder), recognizeFunc func(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool, shouldRecognize bool) {
 	for _, c := range cases {
 		b := csrBuilder{
-			cn:        "system:node:foo",
-			orgs:      []string{"system:nodes"},
-			requestor: "system:node:foo",
+			signerName: capi.KubeAPIServerClientKubeletSignerName,
+			cn:         "system:node:foo",
+			orgs:       []string{"system:nodes"},
+			requestor:  "system:node:foo",
 			usages: []capi.KeyUsage{
 				capi.UsageKeyEncipherment,
 				capi.UsageDigitalSignature,
@@ -262,13 +221,14 @@ func makeTestCsr() *capi.CertificateSigningRequest {
 }
 
 type csrBuilder struct {
-	cn        string
-	orgs      []string
-	requestor string
-	usages    []capi.KeyUsage
-	dns       []string
-	emails    []string
-	ips       []net.IP
+	cn         string
+	orgs       []string
+	requestor  string
+	usages     []capi.KeyUsage
+	dns        []string
+	emails     []string
+	ips        []net.IP
+	signerName string
 }
 
 func makeFancyTestCsr(b csrBuilder) *capi.CertificateSigningRequest {
@@ -290,9 +250,10 @@ func makeFancyTestCsr(b csrBuilder) *capi.CertificateSigningRequest {
 	}
 	return &capi.CertificateSigningRequest{
 		Spec: capi.CertificateSigningRequestSpec{
-			Username: b.requestor,
-			Usages:   b.usages,
-			Request:  pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrb}),
+			Username:   b.requestor,
+			Usages:     b.usages,
+			SignerName: &b.signerName,
+			Request:    pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrb}),
 		},
 	}
 }
@@ -36,6 +36,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog"
+	capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 	"k8s.io/kubernetes/pkg/controller"
 )
 
@@ -192,7 +193,15 @@ func (cc *CertificateController) syncFunc(key string) error {
 
 	// need to operate on a copy so we don't mutate the csr in the shared cache
 	csr = csr.DeepCopy()
-
+	// If the `signerName` field is not set, we are talking to a pre-1.18 apiserver.
+	// As per the KEP document for the certificates API, this will be defaulted here
+	// in the controller to maintain backwards compatibility.
+	// This should be removed after a deprecation window has passed.
+	// Default here to allow handlers to assume the field is set.
+	if csr.Spec.SignerName == nil {
+		signerName := capihelper.DefaultSignerNameFromSpec(&csr.Spec)
+		csr.Spec.SignerName = &signerName
+	}
 	return cc.handler(csr)
 }
 
 
@@ -16,9 +16,12 @@ go_test(
     ],
     embed = [":go_default_library"],
     deps = [
+        "//pkg/apis/certificates/v1beta1:go_default_library",
         "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
+        "//staging/src/k8s.io/client-go/testing:go_default_library",
         "//staging/src/k8s.io/client-go/util/cert:go_default_library",
         "//vendor/github.com/google/go-cmp/cmp:go_default_library",
     ],
 
@@ -19,8 +19,10 @@ package signer
 
 import (
 	"context"
+	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"strings"
 	"time"
 
 	capi "k8s.io/api/certificates/v1beta1"
@@ -89,37 +91,82 @@ func newSigner(caFile, caKeyFile string, client clientset.Interface, certificate
 }
 
 func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
+	// Ignore unapproved requests
 	if !certificates.IsCertificateRequestApproved(csr) {
 		return nil
 	}
-	csr, err := s.sign(csr)
+
+	// Fast-path to avoid any additional processing if the CSRs signerName does
+	// not have a 'kubernetes.io/' prefix.
+	if !strings.HasPrefix(*csr.Spec.SignerName, "kubernetes.io/") {
+		return nil
+	}
+
+	x509cr, err := capihelper.ParseCSR(csr.Spec.Request)
+	if err != nil {
+		return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
+	}
+	if !requestValidForSignerName(x509cr, csr.Spec.Usages, *csr.Spec.SignerName) {
+		// TODO: mark the CertificateRequest as being in a terminal state and
+		//  communicate to the user why the request has been refused.
+		return nil
+	}
+	cert, err := s.sign(x509cr, csr.Spec.Usages)
 	if err != nil {
 		return fmt.Errorf("error auto signing csr: %v", err)
 	}
+	csr.Status.Certificate = cert
 	_, err = s.client.CertificatesV1beta1().CertificateSigningRequests().UpdateStatus(context.TODO(), csr, metav1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("error updating signature for csr: %v", err)
 	}
 	return nil
 }
 
-func (s *signer) sign(csr *capi.CertificateSigningRequest) (*capi.CertificateSigningRequest, error) {
-	x509cr, err := capihelper.ParseCSR(csr.Spec.Request)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
-	}
-
+func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage) ([]byte, error) {
 	currCA, err := s.caProvider.currentCA()
 	if err != nil {
 		return nil, err
 	}
 	der, err := currCA.Sign(x509cr.Raw, authority.PermissiveSigningPolicy{
 		TTL:    s.certTTL,
-		Usages: csr.Spec.Usages,
+		Usages: usages,
 	})
 	if err != nil {
 		return nil, err
 	}
-	csr.Status.Certificate = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
-	return csr, nil
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), nil
+}
+
+func requestValidForSignerName(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) bool {
+	// Only handle CSRs with the specific known signerNames.
+	switch signerName {
+	case capi.KubeletServingSignerName:
+		return capihelper.IsKubeletServingCSR(req, usages)
+	case capi.KubeAPIServerClientKubeletSignerName:
+		return capihelper.IsKubeletClientCSR(req, usages)
+	case capi.KubeAPIServerClientSignerName:
+		return validAPIServerClientUsages(usages)
+	case capi.LegacyUnknownSignerName:
+		// No restrictions are applied to the legacy-unknown signerName to
+		// maintain backward compatibility in v1beta1.
+		return true
+	default:
+		return false
+	}
+}
+
+func validAPIServerClientUsages(usages []capi.KeyUsage) bool {
+	hasClientAuth := false
+	for _, u := range usages {
+		switch u {
+		// these usages are optional
+		case capi.UsageDigitalSignature, capi.UsageKeyEncipherment:
+		case capi.UsageClientAuth:
+			hasClientAuth = true
+		default:
+			return false
+		}
+	}
+	return hasClientAuth
 }