mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2024-12-14 11:57:51 +00:00
nfd-master: implement --verify-node-name
Make NodeName based authorization of the workers optional (off by default). This makes it possible for all nfd-worker pods in the cluster to use one shared secret, making NFD deployment much easier. However, this also opens a way for nfd-workers to label other nodes (than what it is running on), too.
This commit is contained in:
Markus Lehtonen
parent
40061e6a78
commit
4c1e892d88
1 changed files with 28 additions and 21 deletions
|
|
@ -73,6 +73,7 @@ type Args struct {
|
|||
labelWhiteList *regexp.Regexp
|
||||
noPublish bool
|
||||
port int
|
||||
verifyNodeName bool
|
||||
}
|
||||
|
||||
func main() {
|
||||
|
|
@ -145,6 +146,7 @@ func argsParse(argv []string) (Args, error) {
|
|||
Usage:
|
||||
%s [--no-publish] [--label-whitelist=<pattern>] [--port=<port>]
|
||||
[--ca-file=<path>] [--cert-file=<path>] [--key-file=<path>]
|
||||
[--verify-node-name]
|
||||
%s -h | --help
|
||||
%s --version
|
||||
|
||||
|
|
@ -159,6 +161,9 @@ func argsParse(argv []string) (Args, error) {
|
|||
[Default: ]
|
||||
--key-file=<path> Private key matching --cert-file
|
||||
[Default: ]
|
||||
--verify-node-name Verify worker node name against CN from the TLS
|
||||
certificate. Only has effect when TLS authentication
|
||||
has been enabled.
|
||||
--no-publish Do not publish feature labels
|
||||
--label-whitelist=<pattern> Regular expression to filter label names to
|
||||
publish to the Kubernetes API server. [Default: ]`,
|
||||
|
|
@ -185,6 +190,7 @@ func argsParse(argv []string) (Args, error) {
|
|||
if err != nil {
|
||||
return args, fmt.Errorf("error parsing whitelist regex (%s): %s", arguments["--label-whitelist"], err)
|
||||
}
|
||||
args.verifyNodeName = arguments["--verify-node-name"].(bool)
|
||||
|
||||
// Check TLS related args
|
||||
if args.certFile != "" || args.keyFile != "" || args.caFile != "" {
|
||||
|
|
@ -242,6 +248,7 @@ type labelerServer struct {
|
|||
|
||||
// Service SetLabels
|
||||
func (s *labelerServer) SetLabels(c context.Context, r *pb.SetLabelsRequest) (*pb.SetLabelsReply, error) {
|
||||
if s.args.verifyNodeName {
|
||||
// Client authorization.
|
||||
// Check that the node name matches the CN from the TLS cert
|
||||
client, ok := peer.FromContext(c)
|
||||
|
|
@ -263,7 +270,7 @@ func (s *labelerServer) SetLabels(c context.Context, r *pb.SetLabelsRequest) (*p
|
|||
stderrLogger.Printf("gRPC request error: authorization for %v failed: cert valid for '%s', requested node name '%s'", client.Addr, cn, r.NodeName)
|
||||
return &pb.SetLabelsReply{}, fmt.Errorf("request authorization failed: cert valid for '%s', requested node name '%s'", cn, r.NodeName)
|
||||
}
|
||||
|
||||
}
|
||||
stdoutLogger.Printf("REQUEST Node: %s NFD-version: %s Labels: %s", r.NodeName, r.NfdVersion, r.Labels)
|
||||
|
||||
if !s.args.noPublish {
|
||||
|
|
|
|||
Loading…
Reference in a new issue