Skip to content

Commit

Permalink
feat: start implementing IP whitelist vaildation
Browse files Browse the repository at this point in the history
  • Loading branch information
clementnuss committed Apr 1, 2022
1 parent 6ef1e62 commit 6b49658
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
5 changes: 4 additions & 1 deletion internal/controller/csr_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"fmt"
"strings"

"inet.af/netaddr"
certificatesv1 "k8s.io/api/certificates/v1"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
Expand All @@ -45,6 +46,7 @@ type CertificateSigningRequestReconciler struct {
client.Client
Scheme *runtime.Scheme
ProviderRegexp func(string) bool
ProviderIPSet *netaddr.IPSet
MaxExpirationSeconds int32
BypassDNSResolution bool
Resolver HostResolver
Expand All @@ -55,7 +57,8 @@ type CertificateSigningRequestReconciler struct {
//+kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,resourceNames="kubernetes.io/kubelet-serving",verbs=approve

// Reconcile will perform a series of checks before deciding whether the CSR should be approved or denied
//nolint: gocyclo // cyclomatic complexity is high (over 15), but this improves readibility for the programmer, therefore we ignore the linting error
// readibility for the programmer, therefore we ignore the linting error
//nolint: gocyclo // cyclomatic complexity is high (over 15), but this improves
func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error) {
l := log.FromContext(ctx)

Expand Down
22 changes: 22 additions & 0 deletions internal/controller/regex_ip_checks.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,25 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr

return valid, reason, nil
}

// WhitelistedIPCheck verifies that the x509cr IP Addresses are contained in the
// set of ProviderSpecified IP addresses
func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error) {
sanIPAddrs := x509cr.IPAddresses
for _, ip := range sanIPAddrs {
ipa, ok := netaddr.FromStdIP(ip)
if !ok {
return false, fmt.Sprintf("Error while parsing x509 CR IP address %s, denying the CSR", ip), nil
}

if !r.ProviderIPSet.Contains(ipa) {
return false,
fmt.Sprintf(
"One of the SAN IP addresses, %s, is not part"+
"of the allowed IP Prefixes/Subnets, denying the CSR.", ipa),
nil
}
}

return valid, reason, nil
}

0 comments on commit 6b49658

Please sign in to comment.