Derive kubelet serving certificate CSR template from node status addresses

[liggitt]

xref kubernetes/enhancements#267
fixes #55633

Builds on #65587

• Makes the cloud provider authoritative when recording node status addresses
• Makes the node status addresses authoritative for the kube-apiserver determining how to speak to a kubelet (stops paying attention to the hostname label when determining how to reach a kubelet, which was only done to support kubelets < 1.5)
• Updates kubelet certificate rotation to be driven from node status
  • Avoids needing to compute node addresses a second time, and differently, in order to request serving certificates.
  • Allows the kubelet to react to changes in its status addresses by updating its serving certificate
  • Allows the kubelet to be driven by external cloud providers recording node addresses on the node status

test procedure:

# setup
export FEATURE_GATES=RotateKubeletServerCertificate=true
export KUBELET_FLAGS="--rotate-server-certificates=true --cloud-provider=external"

# cleanup from previous runs
sudo rm -fr /var/lib/kubelet/pki/

# startup
hack/local-up-cluster.sh

# wait for a node to register, verify it didn't set addresses
kubectl get nodes 
kubectl get node/127.0.0.1 -o jsonpath={.status.addresses}

# verify the kubelet server isn't available, and that it didn't populate a serving certificate
curl --cacert _output/certs/server-ca.crt -v https://localhost:10250/pods
ls -la /var/lib/kubelet/pki

# set an address on the node
curl -X PATCH http://localhost:8080/api/v1/nodes/127.0.0.1/status \
  -H "Content-Type: application/merge-patch+json" \
  --data '{"status":{"addresses":[{"type":"Hostname","address":"localhost"}]}}'

# verify a csr was submitted with the right SAN, and approve it
kubectl describe csr
kubectl certificate approve csr-...

# verify the kubelet connection uses a cert that is properly signed and valid for the specified hostname, but NOT the IP
curl --cacert _output/certs/server-ca.crt -v https://localhost:10250/pods
curl --cacert _output/certs/server-ca.crt -v https://127.0.0.1:10250/pods
ls -la /var/lib/kubelet/pki

# set an hostname and IP address on the node
curl -X PATCH http://localhost:8080/api/v1/nodes/127.0.0.1/status \
  -H "Content-Type: application/merge-patch+json" \
  --data '{"status":{"addresses":[{"type":"Hostname","address":"localhost"},{"type":"InternalIP","address":"127.0.0.1"}]}}'

# verify a csr was submitted with the right SAN, and approve it
kubectl describe csr
kubectl certificate approve csr-...

# verify the kubelet connection uses a cert that is properly signed and valid for the specified hostname AND IP
curl --cacert _output/certs/server-ca.crt -v https://localhost:10250/pods
curl --cacert _output/certs/server-ca.crt -v https://127.0.0.1:10250/pods
ls -la /var/lib/kubelet/pki

* kubelets that specify `--cloud-provider` now only report addresses in Node status as determined by the cloud provider (unless `--hostname-override` is used to force reporting of the specified hostname)
* kubelet serving certificate rotation now reacts to changes in reported node addresses, and will request certificates for addresses set by an external cloud provider

[liggitt]

@kubernetes/sig-node-pr-reviews @kubernetes/sig-auth-pr-reviews
/assign @mikedanese @awly

[rphillips]

@liggitt since we are using reflect to verify a deep equal later in the code, we should sort the dns and IP addresses just in case they get returned in a different order at some point.

[liggitt]

good point, done

[liggitt]

/test pull-kubernetes-e2e-gke

[liggitt]

/retest

[rphillips]

/lgtm

[liggitt]

/test pull-kubernetes-e2e-gke

[smarterclayton]

Hrm. Is there any scenario where the node hostname can like an IP, but is not actually an IP and would not be appropriate to interpret as an IP?

[liggitt]

Is there any scenario where the node hostname can like an IP, but is not actually an IP and would not be appropriate to interpret as an IP?

No? A hostname that parses as an IP is an IP... SNI wouldn't treat it as a DNS name, cert verification would require an IP SAN (c.f. https://golang.org/src/crypto/x509/verify.go?s=28297:28349#L914)

[smarterclayton]

Why not v(2)? Because it hangs? If so, might want a slightly longer message.

[liggitt]

Yeah, wanted visibility

[liggitt]

/retest

[liggitt]

/retest

[liggitt]

/retest

[awly]

LGTM, but @mikedanese should take another look

[awly]

This can be config.GetTemplate != nil and local dynamicTemplate var can be removed

[liggitt]

config.GetTemplate and config.Template are mutually exclusive. dynamicTemplate is used to determine whether we need to monitor getTemplate() for changes

edit: misread, can update

[mikedanese]

This fixed GKE alpha cluster creation.

/lgtm

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[liggitt]

fixed #65594 (comment), rebased, no other changes, relabeling
/assign @smarterclayton
for approval of change to pkg/util/node/node.go (dropped use of the hostname label when computing node connection URLs... was for <1.5 compatibility)

[liggitt]

/retest

[smarterclayton]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, mikedanese, rphillips, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/OWNERS [smarterclayton]
• staging/src/k8s.io/client-go/util/certificate/OWNERS [liggitt,mikedanese,smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 65052, 65594). If you want to cherry-pick this change to another branch, please follow the instructions here.