Tolerate CSRs without encipherment key usage

basantsa1989 · Aug 29, 2022 · f62749e · f62749e
1 parent 5c668b9
commit f62749e
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/cmd/gcp-controller-manager/node_csr_approver.go b/cmd/gcp-controller-manager/node_csr_approver.go
@@ -295,11 +295,24 @@ var (
 		capi.UsageDigitalSignature,
 		capi.UsageClientAuth,
 	}
+
+	// see https://issue.k8s.io/109077
+	kubeletClientUsagesNoEncipherment = []capi.KeyUsage{
+		capi.UsageDigitalSignature,
+		capi.UsageClientAuth,
+	}
+
 	kubeletServerUsages = []capi.KeyUsage{
 		capi.UsageKeyEncipherment,
 		capi.UsageDigitalSignature,
 		capi.UsageServerAuth,
 	}
+
+	// see https://issue.k8s.io/109077
+	kubeletServerUsagesNoEncipherment = []capi.KeyUsage{
+		capi.UsageDigitalSignature,
+		capi.UsageServerAuth,
+	}
 )
 
 func isNodeCert(_ *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
@@ -322,7 +335,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 	if len(x509cr.DNSNames) > 0 || len(x509cr.IPAddresses) > 0 {
 		return false
 	}
-	return hasExactUsages(csr, kubeletClientUsages)
+	return hasExactUsages(csr, kubeletClientUsagesNoEncipherment) || hasExactUsages(csr, kubeletClientUsages)
 }
 
 func isLegacyNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
@@ -339,7 +352,7 @@ func isNodeServerCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 	if csr.Spec.SignerName != certsv1.KubeletServingSignerName {
 		return false
 	}
-	if !hasExactUsages(csr, kubeletServerUsages) {
+	if !hasExactUsages(csr, kubeletServerUsagesNoEncipherment) && !hasExactUsages(csr, kubeletServerUsages) {
 		return false
 	}
 	return csr.Spec.Username == x509cr.Subject.CommonName

diff --git a/cmd/gke-exec-auth-plugin/request.go b/cmd/gke-exec-auth-plugin/request.go
@@ -130,6 +130,8 @@ func processCSR(client clientset.Interface, privateKeyData []byte, hostname stri
 	csrData = append(csrData, attestData...)
 	klog.Info("added TPM attestation")
 
+	// TODO(liggitt): only add this key usage for RSA private keys once the minimum supported control plane is 1.25.
+	// see https://issue.k8s.io/109077
 	usages := []apicertificates.KeyUsage{
 		apicertificates.UsageDigitalSignature,
 		apicertificates.UsageKeyEncipherment,

diff --git a/pkg/csrapproval/csrapproval.go b/pkg/csrapproval/csrapproval.go
@@ -38,12 +38,24 @@ var nodeClientKeyUsages = []capi.KeyUsage{
 	capi.UsageClientAuth,
 }
 
+// see https://issue.k8s.io/109077
+var nodeClientKeyUsagesNoEncipherment = []capi.KeyUsage{
+	capi.UsageDigitalSignature,
+	capi.UsageClientAuth,
+}
+
 var nodeServerKeyUsages = []capi.KeyUsage{
 	capi.UsageKeyEncipherment,
 	capi.UsageDigitalSignature,
 	capi.UsageServerAuth,
 }
 
+// see https://issue.k8s.io/109077
+var nodeServerKeyUsagesNoEncipherment = []capi.KeyUsage{
+	capi.UsageDigitalSignature,
+	capi.UsageServerAuth,
+}
+
 // Validator represents a workflow to handle a CSR.
 //
 // HandleCSR processes certficate requests
@@ -301,7 +313,7 @@ func IsNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 		return false
 	}
 
-	return hasExactUsages(csr, nodeClientKeyUsages)
+	return hasExactUsages(csr, nodeClientKeyUsagesNoEncipherment) || hasExactUsages(csr, nodeClientKeyUsages)
 }
 
 // IsNodeServerCert recognizes server certificates
@@ -310,7 +322,7 @@ func IsNodeServerCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 		return false
 	}
 
-	if !hasExactUsages(csr, nodeServerKeyUsages) {
+	if !hasExactUsages(csr, nodeServerKeyUsagesNoEncipherment) && !hasExactUsages(csr, nodeServerKeyUsages) {
 		return false
 	}