Skip to content

Commit

Permalink
chore: make k8s auth providers opt-in with build tag
Browse files Browse the repository at this point in the history
  • Loading branch information
clementnuss committed Dec 31, 2021
1 parent f1695f0 commit 6be1ca4
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 1 deletion.
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,3 +131,13 @@ approver would make it quite hard for an attacker to start forging CSRs.
For sure, this simply requires modifying the `ProviderChecks(csr , x509csr))`
function to implement additional checks (such as validating the node identity
in an external inventory)

# build and development

when building locally to run the csr approver on an actual cluster with e.g. the
`oidc` authentication provider, you need to use the tag `debug` to import all
authentication providers. you will then build as follows:

```bash
go build -tags debug ./cmd/kubelet-csr-approver/
```
1 change: 0 additions & 1 deletion internal/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import (
"github.com/go-logr/zapr"
"github.com/peterbourgon/ff/v3"
"github.com/postfinance/flash"
_ "k8s.io/client-go/plugin/pkg/client/auth" //TODO: remove when used in-cluster
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/healthz"

Expand Down
7 changes: 7 additions & 0 deletions internal/cmd/k8s-auth.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
//go:build debug

package cmd

import (
_ "k8s.io/client-go/plugin/pkg/client/auth" // permits to use all authentication providers
)

0 comments on commit 6be1ca4

Please sign in to comment.