Kubelet csr approver (#9877)

* chore(helm-apps): fix README example README shows a non-working example according to the specs for this role. * Add support for kubelet-csr-approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * Add tests for kubelet-csr-approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * Add Documentation for Kubelet CSR Approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Co-authored-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
2025-12-14 13:54:37 +03:00 · 2023-05-11 00:49:09 +00:00
parent 9a72de54de
commit 07d45e6b62
13 changed files with 94 additions and 9 deletions
--- a/tests/files/packet_centos7-flannel-addons-ha.yml
+++ b/tests/files/packet_centos7-flannel-addons-ha.yml
@@ -25,6 +25,7 @@ metrics_server_kubelet_insecure_tls: true
 kube_token_auth: true
 enable_nodelocaldns: false
 kubelet_rotate_server_certificates: true
+kubelet_csr_approver_enabled: false

 kube_oidc_url: https://accounts.google.com/.well-known/openid-configuration
 kube_oidc_client_id: kubespray-example
--- a/tests/files/packet_debian11-kubelet-csr-approver.yml
+++ b/tests/files/packet_debian11-kubelet-csr-approver.yml
@@ -0,0 +1,11 @@
+---
+# Instance settings
+cloud_image: debian-11
+mode: default
+
+# Kubespray settings
+kubelet_rotate_server_certificates: true
+kubelet_csr_approver_enabled: true
+kubelet_csr_approver_values:
+  # Do not check DNS resolution in testing (not recommended in production)
+  bypassDnsResolution: true
--- a/tests/files/packet_ubuntu20-calico-aio-hardening.yml
+++ b/tests/files/packet_ubuntu20-calico-aio-hardening.yml
@@ -80,6 +80,7 @@ etcd_deployment_type: kubeadm
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
+kubelet_csr_approver_enabled: false
 kubelet_protect_kernel_defaults: true
 kubelet_event_record_qps: 1
 kubelet_rotate_certificates: true
--- a/tests/testcases/030_check-network.yml
+++ b/tests/testcases/030_check-network.yml
@@ -15,6 +15,35 @@
      bin_dir: "/usr/local/bin"
    when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]

+  - name: Check kubelet serving certificates approved with kubelet_csr_approver
+    block:
+
+    - name: Get certificate signing requests
+      command: "{{ bin_dir }}/kubectl get csr"
+      register: get_csr
+      changed_when: false
+
+    - debug:  # noqa unnamed-task
+        msg: "{{ get_csr.stdout.split('\n') }}"
+
+    - name: Check there are csrs
+      assert:
+        that: get_csr.stdout_lines | length > 0
+        fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
+
+    - name: Get Denied/Pending certificate signing requests
+      shell: "{{ bin_dir }}/kubectl get csr | grep -e Denied -e Pending || true"
+      register: get_csr_denied_pending
+      changed_when: false
+
+    - name: Check there are Denied/Pending csrs
+      assert:
+        that: get_csr_denied_pending.stdout_lines | length == 0
+        fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
+    when:
+    - kubelet_rotate_server_certificates | default(false)
+    - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
+
  - name: Approve kubelet serving certificates
    block:

@@ -37,7 +66,9 @@
    - debug:  # noqa unnamed-task
        msg: "{{ certificate_approve.stdout.split('\n') }}"

-    when: kubelet_rotate_server_certificates | default(false)
+    when:
+    - kubelet_rotate_server_certificates | default(false)
+    - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))

  - name: Create test namespace
    command: "{{ bin_dir }}/kubectl create namespace test"