Commit cba9f0d1 authored by Brad Davidson's avatar Brad Davidson Committed by Brad Davidson

Add new CLI flag to disable TLS SAN CN filtering

parent 2cb70236
...@@ -47,6 +47,7 @@ type Server struct { ...@@ -47,6 +47,7 @@ type Server struct {
KubeConfigMode string KubeConfigMode string
HelmJobImage string HelmJobImage string
TLSSan cli.StringSlice TLSSan cli.StringSlice
TLSSanSecurity bool
BindAddress string BindAddress string
EnablePProf bool EnablePProf bool
ExtraAPIArgs cli.StringSlice ExtraAPIArgs cli.StringSlice
...@@ -202,6 +203,11 @@ var ServerFlags = []cli.Flag{ ...@@ -202,6 +203,11 @@ var ServerFlags = []cli.Flag{
Usage: "(listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert", Usage: "(listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert",
Value: &ServerConfig.TLSSan, Value: &ServerConfig.TLSSan,
}, },
&cli.BoolTFlag{
Name: "tls-san-security",
Usage: "(listener) Protect the server TLS cert by refusing to add Subject Alternative Names not associated with the kubernetes apiserver service, server nodes, or values of the tls-san option (default: true)",
Destination: &ServerConfig.TLSSanSecurity,
},
DataDirFlag, DataDirFlag,
ClusterCIDR, ClusterCIDR,
ServiceCIDR, ServiceCIDR,
......
...@@ -132,6 +132,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont ...@@ -132,6 +132,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
serverConfig.ControlConfig.Rootless = cfg.Rootless serverConfig.ControlConfig.Rootless = cfg.Rootless
serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
serverConfig.ControlConfig.SANs = util.SplitStringSlice(cfg.TLSSan) serverConfig.ControlConfig.SANs = util.SplitStringSlice(cfg.TLSSan)
serverConfig.ControlConfig.SANSecurity = cfg.TLSSanSecurity
serverConfig.ControlConfig.BindAddress = cfg.BindAddress serverConfig.ControlConfig.BindAddress = cfg.BindAddress
serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort
serverConfig.ControlConfig.HTTPSPort = cfg.HTTPSPort serverConfig.ControlConfig.HTTPSPort = cfg.HTTPSPort
......
...@@ -52,8 +52,10 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler, ...@@ -52,8 +52,10 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler,
return nil, nil, err return nil, nil, err
} }
c.config.SANs = append(c.config.SANs, "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc."+c.config.ClusterDomain) c.config.SANs = append(c.config.SANs, "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc."+c.config.ClusterDomain)
c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) { if c.config.SANSecurity {
registerAddressHandlers(ctx, c) c.config.Runtime.ClusterControllerStarts["server-cn-filter"] = func(ctx context.Context) {
registerAddressHandlers(ctx, c)
}
} }
storage := tlsStorage(ctx, c.config.DataDir, c.config.Runtime) storage := tlsStorage(ctx, c.config.DataDir, c.config.Runtime)
return wrapHandler(dynamiclistener.NewListenerWithChain(tcp, storage, certs, key, dynamiclistener.Config{ return wrapHandler(dynamiclistener.NewListenerWithChain(tcp, storage, certs, key, dynamiclistener.Config{
......
...@@ -220,6 +220,7 @@ type Control struct { ...@@ -220,6 +220,7 @@ type Control struct {
BindAddress string BindAddress string
SANs []string SANs []string
SANSecurity bool
PrivateIP string PrivateIP string
Runtime *ControlRuntime `json:"-"` Runtime *ControlRuntime `json:"-"`
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment