Skip to content

Not recognized as kubelet serving csr #35

Description

@dbaumgarten

Hi,

I am trying to use kubelet-rubber-stamp, but encountered a problem.
The kubelet is configured to create a CSR for it's serving certificate and I can see the CSR in kubernetes.

Kubelet-rubber-stamp however does not accept the CSRs. In It's logs I see a lot of:

Reconciling CertificateSigningRequest /csr-2tb49
W0717 12:47:34.888280       1 certificatesigningrequest_controller.go:148] csr csr-2tb49 not recognized as kubelet serving csr, tried: [certificatesigningrequests]

with no further explaination why it was not recognized.

Below is the CSR resource and the decoded CSR:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2020-07-17T12:28:35Z"
  generateName: csr-
  name: csr-2tb49
  resourceVersion: "9756"
  selfLink: /apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-2tb49
  uid: 5aff267c-4429-4337-818c-4aba78cfe381
spec:
  groups:
  - system:nodes
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkp6Q0J6Z0lCQURCRU1SVXdFd1lEVlFRS0V3eHplWE4wWlcwNmJtOWtaWE14S3pBcEJnTlZCQU1USW5ONQpjM1JsYlRwdWIyUmxPbU5wY3kxMFpYTjBMV3QxWW1VdGJXRnpkR1Z5TFRBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxCmhrak9QUU1CQndOQ0FBUjhuazd6K1ZyM2dHZk9hRkRoSFUrZ1JpNnN6OEtpUDRQMGNWcHpYZ2o0eWhSUExDbncKL1Fzc3JnWGpMS0RFUUtRVC9pQVRIczlIQm14VFBtNnlDQk9sb0Nnd0pnWUpLb1pJaHZjTkFRa09NUmt3RnpBVgpCZ05WSFJFRURqQU1od1FMMlNRamh3VEFxQU1GTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEaFZsbmdrYnZCCkRoYTIxQkdoUlFNOFFkUFZlWW9aRXhId1hOSWNSaG5nQ2dJZ1h4eXFUc3l6QmlScGdyTU1zTk0xeUpCUjcyZTMKWHk0bjB6bGpOVi9JcWVRPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: system:node:cis-test-kube-master-0
status: {}
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:cis-test-kube-master-0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:7c:9e:4e:f3:f9:5a:f7:80:67:ce:68:50:e1:1d:
                    4f:a0:46:2e:ac:cf:c2:a2:3f:83:f4:71:5a:73:5e:
                    08:f8:ca:14:4f:2c:29:f0:fd:0b:2c:ae:05:e3:2c:
                    a0:c4:40:a4:13:fe:20:13:1e:cf:47:06:6c:53:3e:
                    6e:b2:08:13:a5
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:11.217.36.35, IP Address:192.168.3.5
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:e1:56:59:e0:91:bb:c1:0e:16:b6:d4:11:a1:
         45:03:3c:41:d3:d5:79:8a:19:13:11:f0:5c:d2:1c:46:19:e0:
         0a:02:20:5f:1c:aa:4e:cc:b3:06:24:69:82:b3:0c:b0:d3:35:
         c8:90:51:ef:67:b7:5f:2e:27:d3:39:63:35:5f:c8:a9:e4

These look about right to me.
I am using Kubernetes 1.16.13.

As there are no log-messages what exactly is wrong with the CSR and there is only one check that does not print a message on failure, I suspect this here is the problem: https://github.com/kontena/kubelet-rubber-stamp/blob/master/pkg/controller/certificatesigningrequest/helpers.go#L76

The question remains, why is my kubelet creating "invalid" CSRs? Has it something to do with the kubernetes version I use?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions