Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Never approve CSR if --bypass-dns-resolution is specified #253

Closed
kariya-mitsuru opened this issue May 16, 2024 · 5 comments
Closed

Never approve CSR if --bypass-dns-resolution is specified #253

kariya-mitsuru opened this issue May 16, 2024 · 5 comments
Assignees

Comments

@kariya-mitsuru
Copy link

After updating to 1.2.0, the following error message appeared and CSRs were not approved.

Denying kubelet-serving CSR. DNS checks failed. Reason:One of the SAN IP addresses, xxx.xxx.xxx.xxx, is not contained in the set of resolved IP addresses, denying the CSR.

In my environment, the node name cannot be resolved by DNS, so I specify --bypass-dns-resolution.

I checked the source, and the IP addresses of the SAN are checked against resolvedIPSet here, however
resolvedIPSet contains only the IP addresses resolved here by DNS.

So, I think the check will always fail if --bypass-dns-resolution is specified.

@sherif-fanous
Copy link

Ran into the same issue now

@alan113696
Copy link

Same

@clementnuss
Copy link
Contributor

hi!

really sorry for the bug introduced while resolving #250 🤦🏼

I've now made the code simpler, with a proper early exit when bypassDNSResolution is true.

I've also added a testcase covering this issue.

can someone try the following image and report on whether the fix works on their side ?

docker.io/postfinance/kubelet-csr-approver:dns-check-fix
ghcr.io/postfinance/kubelet-csr-approver:dns-check-fix

@kariya-mitsuru
Copy link
Author

Thanks for the quick fix!

I checked it with helm chart 1.2.0 by setting image.tag to dns-check-fix, and it is approved without any problem!

@clementnuss
Copy link
Contributor

release v1.2.1 with the fix is out.

sorry for the inconvenience, and hoping everything settles down 🙃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants