Kubectl: Crafted CN fields in CSRs can create confusing results in kubectl output

Created on 28 Jun 2020  路  11Comments  路  Source: kubernetes/kubectl

What happened:

Data passed in the CN and O fields of a CSR submitted to the Kubernetes API server will be represented by kubectl in a way that could cause confusion for the administrator. It is possible to craft a CN field that modifies the appearance of the CSR when displayed with kubectl describe

As an example, the CSR below, has additional text in the CN field which when viewed with kubectl describe looks like this.

output from kubectl describe

From the screenshot there may be some confusion as to whether the O field in the certificate is "usergroup" , or "system:masters"


apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: user2
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ29UQ0NBWWtDQVFBd1hERkJNRDhHQTFVRUF3dzRabTl2YkFvZ0lFOXlaMkZ1YVhwaGRHbHZiam9nZFhObGNtZHliM1Z3Q2dvZwpJRkpsY1hWbGMzUnZjaUJKYm1admNtMWhkR2x2YmpveEZ6QVZCZ05WQkFvTURuTjVjM1JsYlRwdFlYTjBaWEp6TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNHFEbjh6aXNGYTh5TGpkaEErNm02K2pXaXF1Qi9wdTI5VTkzc3BtQURNTmkKbFhheTFtVnAwK0V6UVRRYWNaK0JRajhVdE9NdjJQL1FjV00vcDl5WHpIU0VRY2RUclhGL0pMTk03K1JLRzdmVXh0ZHB2Y3BTd09ycwpQbWVsSmJ4elVycmxWTm8vRUJvMzI1cHpZaDBGNHFiWUlZejhKSnNVcW1PUWdVTC9JcmdRcGJ2MjNBWWVFZVJDSUE2cUFTZEVReURKCmFKbGdFbndvMnZlcnRIcGRmVnNwbEJNKzZmMXd0cGJOaVEvVFF2eEUrZnk5U2hDVEtLbjM3OVVJRlFlQklhMVdBSEZXalU4UDlGemYKL2k2SDZEVk16YlB5d2pOVzlUOHgyMGV3bWtINlJOQllwcjUrb3h0Lytoc0RHTTBSU0R5TGtaS1lCK2REcUdIeDF2U0hYUUlEQVFBQgpvQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUs2UkFDb0pjYWFiZHowTWFaZ0lZa1JoeUhuYjlXdER6MVZvK3V2c0l4K2hYOUowCjcrTXNwTWUzZ1I3YUFhUzlNMmJjb2VRUDFkdGRlTFdPRzltMUZiMWl1RUZxZUx2ek1NMEJDNW9JRnZpa21FdW13d2NWZWdxdEZzNUkKTlpUK2hyQmN5Um51WHBrWVU2REdWbWFKK1pmSHE3dE13bDhZdUFxcEFNTUJ5cXdiY2tNWndObzhmL0xzVzFzYUFwN2laUjQ0VlpENwoxc29NaGdFWUdlazFsZGdodzE2MlVpTTNxNnlmdUpJcXl0YW5FeEVzaVdUdE80a1VBcmV2SjJKYjdZdHAyVEEwdmZVZXBWYmZwS3BWCis0YnNoRk9SNDRMTE9tYlhwekpVN3A5RUkyREErbm9RY2xhWkVGNW8vL1hCa1dscGY2b2trKzA0bkFLcHhRS1ZBbjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

Using openssl it's possible to see the modified CN field more clearly

output from openssl

What you expected to happen:

Kubectl should escape any characters in the CSR object before displaying them to the user, to avoid any confusion about the structure of the CSR.

How to reproduce it (as minimally and precisely as possible):

Apply the CSR above to a Kubernetes cluster, then issue the command kubectl describe csr user2

Environment:

  • Kubernetes 1.18.2
good first issue help wanted kinbug lifecyclrotten prioritbacklog
Source
picture raesene

Most helpful comment

Hey @raesene i can take a look at this as part of my learning task.
/assign @vinu2003

picture vinu2003 on 29 Jun 2020
👍2 🎉1

All 11 comments

quoting the fields with %q would be reasonable

liggitt picture liggitt on 29 Jun 2020

The code is here in case anyone wants to take a look.

enj picture enj on 29 Jun 2020

/good-first-issue

enj picture enj on 29 Jun 2020

@enj:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 29 Jun 2020

Hey @raesene i can take a look at this as part of my learning task.
/assign @vinu2003

vinu2003 picture vinu2003 on 29 Jun 2020
👍2 🎉1

Hey @raesene , would it be nice to change the CommonName to CN and O for usergroup in kubectl describe output ?
Any thoughts on this @liggitt @enj

vinu2003 picture vinu2003 on 30 Jun 2020

/priority backlog

eddiezane picture eddiezane on 22 Jul 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 20 Oct 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot picture fejta-bot on 19 Nov 2020

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot picture fejta-bot on 19 Dec 2020

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 19 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fiksn picture fiksn  路  3Comments
J-Siu picture J-Siu  路  4Comments
drpaneas picture drpaneas  路  3Comments
ZhilinS picture ZhilinS  路  5Comments
AdamSharif-MSFT picture AdamSharif-MSFT  路  3Comments