Skip to content
/ tbctrl Public

A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.

Notifications You must be signed in to change notification settings

zoomoid/tbctrl

Repository files navigation

zoomoid/tbctrl

A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.

For details, see

All this controller does is check some fields in the CSR to be plausible and to interfere as little with regular CSRs as possible, only reconciles CSRs from "system:node:NODE_NAME".

For a controller that does more checks and in general is more secure, see https://github.com/postfinance/kubelet-csr-approver. The repository also includes a threat model for security considerations, something this project neglects for reasons of simplicity.

If security is a major concern of yours, DO NOT USE this controller, as it can be leveraged to sign spoofed CSRs quite easily.

Deploy with Helm

Deploy the controller to a cluster with Helm by running

# Add the repo to your local helm repositories
$ helm repo add tbctrl https://zoomoid.github.io/tbctrl
# Install the controller into the cluster
$ helm install tls-bootstrapping-controller tbctrl/tbctrl -n kube-system

Deploy from manifests

You can also use static manifests, but be aware of the configuration: by default metrics are enabled, and the version is "latest".

# Deploy controller to kube-system namespace
$ kubectl apply -n kube-system -f https://raw.githubusercontent.com/zoomoid/tbctrl/main/manifests/tbctrl.yaml

You can also use the kustomization available in ./manifests/kustomization as a base to customize the deployment without having to dig too deep into the YAML files.

About

A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.

Topics

Resources

Stars

Watchers

Forks

Packages