From 156e4c34422f016da086600a45138c1c072d4af0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Nussbaumer?= Date: Tue, 28 Jun 2022 10:01:52 +0200 Subject: [PATCH] chore: document `ignore-non-system-node` and add to helm chart --- README.md | 7 ++++++- charts/kubelet-csr-approver/Chart.yaml | 2 +- charts/kubelet-csr-approver/templates/deployment.yaml | 4 ++++ charts/kubelet-csr-approver/values.yaml | 2 ++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0d91203..00a1d5d 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,8 @@ variables) are: Per default it is hardcoded to a maximum of 367 days, and can be reduced with this parameter. * `--bypass-dns-resolution` or `BYPASS_DNS_RESOLUTION` permits to bypass DNS resolution - check. the default value of the boolean is false, and you can enable it by + check. \ + the default value of the boolean is false, and you can enable it by setting it to `true` (or any other option listed in GoLang's [`ParseBool`](https://github.com/golang/go/blob/master/src/strconv/atob.go#L10) function) @@ -48,6 +49,10 @@ variables) are: addresses shall fall into. left unspecified, all IP addresses are allowed. \ you can for example set it to `192.168.0.0/16,fc00::/7` if this reflects your local network IP ranges. +* `--ignore-non-system-node` or `IGNORE_NON_SYSTEM_NODE` permits ignoring CSRs + with a _Username_ different than `system:node:......`. \ + the default value of the boolean is false, and if you want to use this feature + you need to set this flag to `true` It is important to understand that the node DNS name needs to be resolvable for the `kubelet-csr-approver` to work properly. If this is an issue diff --git a/charts/kubelet-csr-approver/Chart.yaml b/charts/kubelet-csr-approver/Chart.yaml index 442953b..cfd22f7 100644 --- a/charts/kubelet-csr-approver/Chart.yaml +++ b/charts/kubelet-csr-approver/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubelet-csr-approver description: Kubelet CSR Approver type: application -version: 0.2.2 +version: 0.2.3 appVersion: v0.2.2 maintainers: - name: clementnuss diff --git a/charts/kubelet-csr-approver/templates/deployment.yaml b/charts/kubelet-csr-approver/templates/deployment.yaml index 9860d84..3dbeda1 100644 --- a/charts/kubelet-csr-approver/templates/deployment.yaml +++ b/charts/kubelet-csr-approver/templates/deployment.yaml @@ -60,6 +60,10 @@ spec: - name: BYPASS_DNS_RESOLUTION value: {{ .Values.bypassDnsResolution | quote }} {{- end }} + {{- if .Values.ignoreNonSystemNode}} + - name: IGNORE_NON_SYSTEM_NODE + value: {{ .Values.ignoreNonSystemNode | quote }} + {{- end }} {{- with .Values.env }} {{ toYaml . | nindent 12 }} {{- end }} diff --git a/charts/kubelet-csr-approver/values.yaml b/charts/kubelet-csr-approver/values.yaml index 0e0a79e..5626b4a 100644 --- a/charts/kubelet-csr-approver/values.yaml +++ b/charts/kubelet-csr-approver/values.yaml @@ -4,6 +4,8 @@ providerRegex: "" maxExpirationSeconds: "" # optional, permits to bypass dns resolution checks. default: false bypassDnsResolution: false +# optional, permits ignoring CSRs with another Username than `system:node:...` +ignoreNonSystemNode: false # optional, list of IP (IPv4, IPv6) subnets that are allowed to submit CSRs providerIpPrefixes: [] # - 192.168.8.0/22