github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kubelet: add key encipherment usage only if it is rsa key

Browse Source 
remove allowOmittingUsageKeyEncipherment as it is always true

Signed-off-by: Paco Xu <paco.xu@daocloud.io>
This commit is contained in:
Paco Xu
2022-08-03 16:41:09 +08:00
parent 3ace3eb74b
commit 160f015ef4
9 changed files with 155 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/controller/certificates/approver/sarapprove.go
View File

@@ -152,7 +152,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
if csr.Spec.SignerName != capi.KubeAPIServerClientKubeletSignerName {
return false
}
return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages), true)
return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages))
}
func isSelfNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {

4
pkg/controller/certificates/signer/signer.go
View File

@@ -248,14 +248,14 @@ func isKubeletServing(req *x509.CertificateRequest, usages []capi.KeyUsage, sign
if signerName != capi.KubeletServingSignerName {
return false, nil
}
return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages), true)
return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages))
}
func isKubeletClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) {
if signerName != capi.KubeAPIServerClientKubeletSignerName {
return false, nil
}
return true, capihelper.ValidateKubeletClientCSR(req, usagesToSet(usages), true)
return true, capihelper.ValidateKubeletClientCSR(req, usagesToSet(usages))
}
func isKubeAPIServerClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) {