From 6be1ca4f9dd5e89afcfe002b620fd7a1e4d36e15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Nussbaumer?= Date: Fri, 31 Dec 2021 09:17:04 +0100 Subject: [PATCH] chore: make k8s auth providers opt-in with build tag --- README.md | 10 ++++++++++ internal/cmd/cmd.go | 1 - internal/cmd/k8s-auth.go | 7 +++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 internal/cmd/k8s-auth.go diff --git a/README.md b/README.md index b2deb10..49f8d92 100644 --- a/README.md +++ b/README.md @@ -131,3 +131,13 @@ approver would make it quite hard for an attacker to start forging CSRs. For sure, this simply requires modifying the `ProviderChecks(csr , x509csr))` function to implement additional checks (such as validating the node identity in an external inventory) + +# build and development + +when building locally to run the csr approver on an actual cluster with e.g. the +`oidc` authentication provider, you need to use the tag `debug` to import all +authentication providers. you will then build as follows: + +```bash +go build -tags debug ./cmd/kubelet-csr-approver/ +``` diff --git a/internal/cmd/cmd.go b/internal/cmd/cmd.go index 7112297..09cb37a 100644 --- a/internal/cmd/cmd.go +++ b/internal/cmd/cmd.go @@ -14,7 +14,6 @@ import ( "github.com/go-logr/zapr" "github.com/peterbourgon/ff/v3" "github.com/postfinance/flash" - _ "k8s.io/client-go/plugin/pkg/client/auth" //TODO: remove when used in-cluster ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" diff --git a/internal/cmd/k8s-auth.go b/internal/cmd/k8s-auth.go new file mode 100644 index 0000000..25dcdf9 --- /dev/null +++ b/internal/cmd/k8s-auth.go @@ -0,0 +1,7 @@ +//go:build debug + +package cmd + +import ( + _ "k8s.io/client-go/plugin/pkg/client/auth" // permits to use all authentication providers +)