Client-go: Approving CSR using the client-go

Created on 20 Jul 2019  路  1Comment  路  Source: kubernetes/client-go

Hello,

I see it is possible to list all CSRs within the cluster and even determine whether they are pending or not by checking ...csr.Status.Certificate == nil.

I wonder whether it is possible to approve those pending CSRs using the client-go library within a Job running in the same cluster and what is the best way to do that?
I tried to use UpdateApproval/UpdateStatus as below:

...
_, errApproval := clientSet.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(&csr)
if errApproval != nil {
    fmt.Fprintf(os.Stdout, "error approving csr:%s for the reason:%s\n", csr.Name, errApproval)
}
_, errStatus := clientSet.CertificatesV1beta1().CertificateSigningRequests().UpdateStatus(&csr)
if errStatus != nil {
    fmt.Fprintf(os.Stdout, "error updating status of csr:%s for the reason:%s\n", csr.Name, errStatus)
}
...

But the CSRs I tried to approve were still in pending status.

When I check kubectl certificate approve --help I see that only cluster-admin can approve pending CSRs.
As I did not really want to give cluster-admin power to the ServiceAccount, I defined the following ClusterRole for the ServiceAccount I am using for this task:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap-helper
rules:
- apiGroups:
    - ""
  resources:
    - nodes
  verbs:
    - get
    - list
- apiGroups:
    - certificates.k8s.io
  resources:
    - certificatesigningrequests
  verbs:
    - delete
    - deletecollection
    - get
    - list
- apiGroups:
    - certificates.k8s.io
  resources:
    - certificatesigningrequests/approval
    - certificatesigningrequests/status
  verbs:
    - update

Although later on just for testing purposes I gave the ServiceAccount the cluster-admin ClusterRole and re-ran the job which gave the same result as above,

Finally I did another test but just using the token of the very same ServiceAccount with the kubectl I have on my laptop. i.e.:

> kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:40:16Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:32:14Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
> kubectl --v=8 --token='eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9....' certificate approve csr-zxjtr

I0720 10:03:24.669699   61125 loader.go:359] Config loaded from file:  ..kube/config.apiserver
I0720 10:03:24.675672   61125 oidc.go:127] extra-scopes auth provider field depricated, refresh request don't send scopes
I0720 10:03:24.695004   61125 round_trippers.go:416] GET https://apiserver:6443/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-zxjtr
I0720 10:03:24.695032   61125 round_trippers.go:423] Request Headers:
I0720 10:03:24.695040   61125 round_trippers.go:426]     User-Agent: kubectl/v1.15.0 (linux/amd64) kubernetes/e8462b5
I0720 10:03:24.695063   61125 round_trippers.go:426]     Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9....
I0720 10:03:24.695084   61125 round_trippers.go:426]     Accept: application/json, */*
I0720 10:03:24.716621   61125 round_trippers.go:441] Response Status: 200 OK in 21 milliseconds
I0720 10:03:24.716648   61125 round_trippers.go:444] Response Headers:
I0720 10:03:24.716666   61125 round_trippers.go:447]     Audit-Id: 02d22e72-5023-49e2-be86-6251a2690d20
I0720 10:03:24.716672   61125 round_trippers.go:447]     Content-Type: application/json
I0720 10:03:24.716683   61125 round_trippers.go:447]     Content-Length: 1130
I0720 10:03:24.716691   61125 round_trippers.go:447]     Date: Sat, 20 Jul 2019 08:03:24 GMT
I0720 10:03:24.716724   61125 request.go:947] Response Body: {"kind":"CertificateSigningRequest","apiVersion":"certificates.k8s.io/v1beta1","metadata":{"name":"csr-zxjtr","generateName":"csr-","selfLink":"/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-zxjtr","uid":"f7e0ea93-5c68-4384-889b-d782484f8ef3","resourceVersion":"1255960","creationTimestamp":"2019-07-19T13:14:50Z"},"spec":{"request":"LS0t...==","usages":["digital signature","key encipherment","serv [truncated 106 chars]
I0720 10:03:24.718552   61125 request.go:947] Request Body: {"kind":"CertificateSigningRequest","apiVersion":"certificates.k8s.io/v1beta1","metadata":{"name":"csr-zxjtr","generateName":"csr-","selfLink":"/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-zxjtr","uid":"f7e0ea93-5c68-4384-889b-d782484f8ef3","resourceVersion":"1255960","creationTimestamp":"2019-07-19T13:14:50Z"},"spec":{"request":"LS0t...==","usages":["digital signature","key encipherment","serv [truncated 272 chars]
I0720 10:03:24.718629   61125 round_trippers.go:416] PUT https://apiserver:6443/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-zxjtr/approval
I0720 10:03:24.718641   61125 round_trippers.go:423] Request Headers:
I0720 10:03:24.718647   61125 round_trippers.go:426]     Accept: application/json, */*
I0720 10:03:24.718654   61125 round_trippers.go:426]     Content-Type: application/json
I0720 10:03:24.718660   61125 round_trippers.go:426]     User-Agent: kubectl/v1.15.0 (linux/amd64) kubernetes/e8462b5
I0720 10:03:24.718677   61125 round_trippers.go:426]     Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9....
I0720 10:03:24.725076   61125 round_trippers.go:441] Response Status: 200 OK in 6 milliseconds
I0720 10:03:24.725116   61125 round_trippers.go:444] Response Headers:
I0720 10:03:24.725124   61125 round_trippers.go:447]     Date: Sat, 20 Jul 2019 08:03:24 GMT
I0720 10:03:24.725133   61125 round_trippers.go:447]     Audit-Id: eff2afd3-2a2f-4d21-b90b-b4a5f3742f02
I0720 10:03:24.725138   61125 round_trippers.go:447]     Content-Type: application/json
I0720 10:03:24.725143   61125 round_trippers.go:447]     Content-Length: 1305
I0720 10:03:24.725187   61125 request.go:947] Response Body: {"kind":"CertificateSigningRequest","apiVersion":"certificates.k8s.io/v1beta1","metadata":{"name":"csr-zxjtr","generateName":"csr-","selfLink":"/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-zxjtr/approval","uid":"f7e0ea93-5c68-4384-889b-d782484f8ef3","resourceVersion":"1355305","creationTimestamp":"2019-07-19T13:14:50Z"},"spec":{"request":"LS0t...==","usages":["digital signature","key encipherme [truncated 281 chars]

certificatesigningrequest.certificates.k8s.io/csr-zxjtr approved

And it got approved:

> kubectl get csr csr-zxjtr
NAME        AGE   REQUESTOR             CONDITION
csr-zxjtr   19h   system:node:cored03   Approved,Issued

Most helpful comment

This issue can be closed, it was pretty straight forward:
First needed to update the status of the CSR like:

...
                csr.Status.Conditions = append(csr.Status.Conditions, certificatesv1beta1.CertificateSigningRequestCondition{
                    Type:           certificatesv1beta1.CertificateApproved,
                    Reason:         "BLABLABLA",
                    Message:        "This CSR was approved by BLABLABLA",
                    LastUpdateTime: metav1.Now(),
                })
...

And then call UpdateApproval which does PUT on the given csr/approve using the client.

>All comments

This issue can be closed, it was pretty straight forward:
First needed to update the status of the CSR like:

...
                csr.Status.Conditions = append(csr.Status.Conditions, certificatesv1beta1.CertificateSigningRequestCondition{
                    Type:           certificatesv1beta1.CertificateApproved,
                    Reason:         "BLABLABLA",
                    Message:        "This CSR was approved by BLABLABLA",
                    LastUpdateTime: metav1.Now(),
                })
...

And then call UpdateApproval which does PUT on the given csr/approve using the client.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jgrobbel picture jgrobbel  路  3Comments

protheusfr picture protheusfr  路  3Comments

tamalsaha picture tamalsaha  路  6Comments

inetkiller picture inetkiller  路  6Comments

yashbhutwala picture yashbhutwala  路  4Comments