2018-01-09 18:57:14 +00:00
|
|
|
/*
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
2018-01-09 18:57:14 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2018-07-18 14:47:22 +00:00
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
2018-01-09 18:57:14 +00:00
|
|
|
"k8s.io/kubernetes/pkg/apis/certificates"
|
2018-07-18 14:47:22 +00:00
|
|
|
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
2018-01-09 18:57:14 +00:00
|
|
|
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
|
|
|
|
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
|
2018-07-18 14:47:22 +00:00
|
|
|
"k8s.io/kubernetes/pkg/kubectl/genericclioptions"
|
|
|
|
"k8s.io/kubernetes/pkg/kubectl/genericclioptions/printers"
|
|
|
|
"k8s.io/kubernetes/pkg/kubectl/genericclioptions/resource"
|
|
|
|
"k8s.io/kubernetes/pkg/kubectl/scheme"
|
2018-01-09 18:57:14 +00:00
|
|
|
"k8s.io/kubernetes/pkg/kubectl/util/i18n"
|
|
|
|
|
|
|
|
"github.com/spf13/cobra"
|
|
|
|
)
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func NewCmdCertificate(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
|
2018-01-09 18:57:14 +00:00
|
|
|
cmd := &cobra.Command{
|
2018-03-06 22:33:18 +00:00
|
|
|
Use: "certificate SUBCOMMAND",
|
|
|
|
DisableFlagsInUseLine: true,
|
2018-01-09 18:57:14 +00:00
|
|
|
Short: i18n.T("Modify certificate resources."),
|
|
|
|
Long: "Modify certificate resources.",
|
|
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
|
|
cmd.Help()
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
cmd.AddCommand(NewCmdCertificateApprove(f, ioStreams))
|
|
|
|
cmd.AddCommand(NewCmdCertificateDeny(f, ioStreams))
|
2018-01-09 18:57:14 +00:00
|
|
|
|
|
|
|
return cmd
|
|
|
|
}
|
|
|
|
|
|
|
|
type CertificateOptions struct {
|
|
|
|
resource.FilenameOptions
|
2018-07-18 14:47:22 +00:00
|
|
|
|
|
|
|
PrintFlags *genericclioptions.PrintFlags
|
|
|
|
PrintObj printers.ResourcePrinterFunc
|
|
|
|
|
2018-01-09 18:57:14 +00:00
|
|
|
csrNames []string
|
|
|
|
outputStyle string
|
2018-07-18 14:47:22 +00:00
|
|
|
|
|
|
|
clientSet internalclientset.Interface
|
|
|
|
builder *resource.Builder
|
|
|
|
|
|
|
|
genericclioptions.IOStreams
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func (o *CertificateOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error {
|
|
|
|
o.csrNames = args
|
|
|
|
o.outputStyle = cmdutil.GetFlagString(cmd, "output")
|
|
|
|
|
|
|
|
printer, err := o.PrintFlags.ToPrinter()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
o.PrintObj = func(obj runtime.Object, out io.Writer) error {
|
|
|
|
return printer.PrintObj(obj, out)
|
|
|
|
}
|
|
|
|
|
|
|
|
o.builder = f.NewBuilder()
|
|
|
|
o.clientSet, err = f.ClientSet()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-01-09 18:57:14 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func (o *CertificateOptions) Validate() error {
|
|
|
|
if len(o.csrNames) < 1 && cmdutil.IsFilenameSliceEmpty(o.Filenames) {
|
2018-01-09 18:57:14 +00:00
|
|
|
return fmt.Errorf("one or more CSRs must be specified as <name> or -f <filename>")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func NewCmdCertificateApprove(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
|
|
|
|
options := CertificateOptions{
|
|
|
|
PrintFlags: genericclioptions.NewPrintFlags("approved").WithTypeSetter(scheme.Scheme),
|
|
|
|
IOStreams: ioStreams,
|
|
|
|
}
|
2018-01-09 18:57:14 +00:00
|
|
|
cmd := &cobra.Command{
|
2018-03-06 22:33:18 +00:00
|
|
|
Use: "approve (-f FILENAME | NAME)",
|
|
|
|
DisableFlagsInUseLine: true,
|
2018-01-09 18:57:14 +00:00
|
|
|
Short: i18n.T("Approve a certificate signing request"),
|
|
|
|
Long: templates.LongDesc(`
|
|
|
|
Approve a certificate signing request.
|
|
|
|
|
|
|
|
kubectl certificate approve allows a cluster admin to approve a certificate
|
|
|
|
signing request (CSR). This action tells a certificate signing controller to
|
|
|
|
issue a certificate to the requestor with the attributes requested in the CSR.
|
|
|
|
|
|
|
|
SECURITY NOTICE: Depending on the requested attributes, the issued certificate
|
|
|
|
can potentially grant a requester access to cluster resources or to authenticate
|
|
|
|
as a requested identity. Before approving a CSR, ensure you understand what the
|
|
|
|
signed certificate can do.
|
|
|
|
`),
|
|
|
|
Run: func(cmd *cobra.Command, args []string) {
|
2018-07-18 14:47:22 +00:00
|
|
|
cmdutil.CheckErr(options.Complete(f, cmd, args))
|
2018-01-09 18:57:14 +00:00
|
|
|
cmdutil.CheckErr(options.Validate())
|
2018-07-18 14:47:22 +00:00
|
|
|
cmdutil.CheckErr(options.RunCertificateApprove(cmdutil.GetFlagBool(cmd, "force")))
|
2018-01-09 18:57:14 +00:00
|
|
|
},
|
|
|
|
}
|
2018-07-18 14:47:22 +00:00
|
|
|
|
|
|
|
options.PrintFlags.AddFlags(cmd)
|
|
|
|
|
|
|
|
cmd.Flags().Bool("force", false, "Update the CSR even if it is already approved.")
|
2018-01-09 18:57:14 +00:00
|
|
|
cmdutil.AddFilenameOptionFlags(cmd, &options.FilenameOptions, "identifying the resource to update")
|
|
|
|
|
|
|
|
return cmd
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func (o *CertificateOptions) RunCertificateApprove(force bool) error {
|
|
|
|
return o.modifyCertificateCondition(o.builder, o.clientSet, force, func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, bool) {
|
2018-01-09 18:57:14 +00:00
|
|
|
var alreadyApproved bool
|
|
|
|
for _, c := range csr.Status.Conditions {
|
|
|
|
if c.Type == certificates.CertificateApproved {
|
|
|
|
alreadyApproved = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if alreadyApproved {
|
2018-07-18 14:47:22 +00:00
|
|
|
return csr, true
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
|
|
|
|
Type: certificates.CertificateApproved,
|
|
|
|
Reason: "KubectlApprove",
|
|
|
|
Message: "This CSR was approved by kubectl certificate approve.",
|
|
|
|
LastUpdateTime: metav1.Now(),
|
|
|
|
})
|
2018-07-18 14:47:22 +00:00
|
|
|
return csr, false
|
2018-01-09 18:57:14 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func NewCmdCertificateDeny(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
|
|
|
|
options := CertificateOptions{
|
|
|
|
PrintFlags: genericclioptions.NewPrintFlags("denied").WithTypeSetter(scheme.Scheme),
|
|
|
|
IOStreams: ioStreams,
|
|
|
|
}
|
2018-01-09 18:57:14 +00:00
|
|
|
cmd := &cobra.Command{
|
2018-03-06 22:33:18 +00:00
|
|
|
Use: "deny (-f FILENAME | NAME)",
|
|
|
|
DisableFlagsInUseLine: true,
|
2018-01-09 18:57:14 +00:00
|
|
|
Short: i18n.T("Deny a certificate signing request"),
|
|
|
|
Long: templates.LongDesc(`
|
|
|
|
Deny a certificate signing request.
|
|
|
|
|
|
|
|
kubectl certificate deny allows a cluster admin to deny a certificate
|
|
|
|
signing request (CSR). This action tells a certificate signing controller to
|
|
|
|
not to issue a certificate to the requestor.
|
|
|
|
`),
|
|
|
|
Run: func(cmd *cobra.Command, args []string) {
|
2018-07-18 14:47:22 +00:00
|
|
|
cmdutil.CheckErr(options.Complete(f, cmd, args))
|
2018-01-09 18:57:14 +00:00
|
|
|
cmdutil.CheckErr(options.Validate())
|
2018-07-18 14:47:22 +00:00
|
|
|
cmdutil.CheckErr(options.RunCertificateDeny(cmdutil.GetFlagBool(cmd, "force")))
|
2018-01-09 18:57:14 +00:00
|
|
|
},
|
|
|
|
}
|
2018-07-18 14:47:22 +00:00
|
|
|
|
|
|
|
options.PrintFlags.AddFlags(cmd)
|
|
|
|
|
|
|
|
cmd.Flags().Bool("force", false, "Update the CSR even if it is already denied.")
|
2018-01-09 18:57:14 +00:00
|
|
|
cmdutil.AddFilenameOptionFlags(cmd, &options.FilenameOptions, "identifying the resource to update")
|
|
|
|
|
|
|
|
return cmd
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func (o *CertificateOptions) RunCertificateDeny(force bool) error {
|
|
|
|
return o.modifyCertificateCondition(o.builder, o.clientSet, force, func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, bool) {
|
2018-01-09 18:57:14 +00:00
|
|
|
var alreadyDenied bool
|
|
|
|
for _, c := range csr.Status.Conditions {
|
|
|
|
if c.Type == certificates.CertificateDenied {
|
|
|
|
alreadyDenied = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if alreadyDenied {
|
2018-07-18 14:47:22 +00:00
|
|
|
return csr, true
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
|
|
|
|
Type: certificates.CertificateDenied,
|
|
|
|
Reason: "KubectlDeny",
|
|
|
|
Message: "This CSR was approved by kubectl certificate deny.",
|
|
|
|
LastUpdateTime: metav1.Now(),
|
|
|
|
})
|
2018-07-18 14:47:22 +00:00
|
|
|
return csr, false
|
2018-01-09 18:57:14 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-07-18 14:47:22 +00:00
|
|
|
func (options *CertificateOptions) modifyCertificateCondition(builder *resource.Builder, clientSet internalclientset.Interface, force bool, modify func(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, bool)) error {
|
2018-01-09 18:57:14 +00:00
|
|
|
var found int
|
2018-07-18 14:47:22 +00:00
|
|
|
r := builder.
|
|
|
|
WithScheme(legacyscheme.Scheme).
|
2018-01-09 18:57:14 +00:00
|
|
|
ContinueOnError().
|
|
|
|
FilenameParam(false, &options.FilenameOptions).
|
|
|
|
ResourceNames("certificatesigningrequest", options.csrNames...).
|
|
|
|
RequireObject(true).
|
|
|
|
Flatten().
|
|
|
|
Latest().
|
|
|
|
Do()
|
2018-07-18 14:47:22 +00:00
|
|
|
err := r.Visit(func(info *resource.Info, err error) error {
|
2018-01-09 18:57:14 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-07-18 14:47:22 +00:00
|
|
|
for i := 0; ; i++ {
|
|
|
|
csr := info.Object.(*certificates.CertificateSigningRequest)
|
|
|
|
csr, hasCondition := modify(csr)
|
|
|
|
if !hasCondition || force {
|
|
|
|
csr, err = clientSet.Certificates().
|
|
|
|
CertificateSigningRequests().
|
|
|
|
UpdateApproval(csr)
|
|
|
|
if errors.IsConflict(err) && i < 10 {
|
|
|
|
if err := info.Get(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
found++
|
2018-07-18 14:47:22 +00:00
|
|
|
|
|
|
|
return options.PrintObj(cmdutil.AsDefaultVersionedOrOriginal(info.Object, info.Mapping), options.Out)
|
2018-01-09 18:57:14 +00:00
|
|
|
})
|
|
|
|
if found == 0 {
|
2018-07-18 14:47:22 +00:00
|
|
|
fmt.Fprintf(options.Out, "No resources found\n")
|
2018-01-09 18:57:14 +00:00
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|