security: only approve validated CSR (#5972)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

pkg/controller/pki.go

@@ -15,7 +15,8 @@ import (
 )
 
 func (c *Controller) InitDefaultOVNIPsecCA() error {
-	_, err := c.config.KubeClient.CoreV1().Secrets("kube-system").Get(context.TODO(), util.DefaultOVNIPSecCA, metav1.GetOptions{})
+	namespace := os.Getenv("POD_NAMESPACE")
+	_, err := c.config.KubeClient.CoreV1().Secrets(namespace).Get(context.TODO(), util.DefaultOVNIPSecCA, metav1.GetOptions{})
 	if err == nil {
 		klog.Infof("ovn ipsec CA secret already exists, skip")
 		return nil
@@ -56,15 +57,15 @@ func (c *Controller) InitDefaultOVNIPsecCA() error {
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      util.DefaultOVNIPSecCA,
-			Namespace: "kube-system",
+			Namespace: namespace,
 		},
 		Data: map[string][]byte{
 			"cacert": cacert,
 			"cakey":  cakey,
 		},
 	}
 
-	if _, err = c.config.KubeClient.CoreV1().Secrets("kube-system").Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
+	if _, err = c.config.KubeClient.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
 		return err
 	}
 

pkg/controller/signer.go

@@ -11,6 +11,9 @@ import (
 	"errors"
 	"fmt"
 	"math/big"
+	"os"
+	"slices"
+	"strings"
 	"time"
 
 	csrv1 "k8s.io/api/certificates/v1"
@@ -22,8 +25,46 @@ import (
 	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
+func (c *Controller) validateCsrName(name string) error {
+	after, found := strings.CutPrefix(name, "ovn-ipsec-")
+	if !found || len(after) == 0 {
+		return fmt.Errorf("CSR name %s is invalid, must be in format ovn-ipsec-<node-name>", name)
+	}
+
+	node, err := c.nodesLister.Get(after)
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			return fmt.Errorf("node %s not found for CSR %s", after, name)
+		}
+		return fmt.Errorf("failed to get node %s for CSR %s: %w", after, name, err)
+	}
+	if node.Status.NodeInfo.OperatingSystem != "linux" {
+		return fmt.Errorf("node %s is not linux, CSR %s is invalid", after, name)
+	}
+
+	return nil
+}
+
+func (c *Controller) isOVNIPSecCSR(csr *csrv1.CertificateSigningRequest) bool {
+	if csr.Spec.SignerName != util.SignerName ||
+		!strings.HasPrefix(csr.Name, "ovn-ipsec-") ||
+		!slices.Equal(csr.Spec.Usages, []csrv1.KeyUsage{csrv1.UsageIPsecTunnel}) {
+		return false
+	}
+	if err := c.validateCsrName(csr.Name); err != nil {
+		klog.Warningf("CSR %s validation failed: %v", csr.Name, err)
+		return false
+	}
+	return true
+}
+
 func (c *Controller) enqueueAddCsr(obj any) {
-	key := cache.MetaObjectToName(obj.(*csrv1.CertificateSigningRequest)).String()
+	req := obj.(*csrv1.CertificateSigningRequest)
+	if !c.isOVNIPSecCSR(req) {
+		return
+	}
+
+	key := cache.MetaObjectToName(req).String()
 	klog.V(3).Infof("enqueue add csr %s", key)
 	c.addOrUpdateCsrQueue.Add(key)
 }
@@ -34,6 +75,9 @@ func (c *Controller) enqueueUpdateCsr(oldObj, newObj any) {
 	if oldCsr.ResourceVersion == newCsr.ResourceVersion {
 		return
 	}
+	if !c.isOVNIPSecCSR(newCsr) {
+		return
+	}
 
 	key := cache.MetaObjectToName(newCsr).String()
 	klog.V(3).Infof("enqueue update csr %s", key)
@@ -50,10 +94,6 @@ func (c *Controller) handleAddOrUpdateCsr(key string) (err error) {
 		return err
 	}
 
-	if csr.Spec.SignerName != util.SignerName {
-		return nil
-	}
-
 	if len(csr.Status.Certificate) != 0 {
 		// Request already has a certificate. There is nothing
 		// to do as we will, currently, not re-certify or handle any updates to
@@ -83,7 +123,7 @@ func (c *Controller) handleAddOrUpdateCsr(key string) (err error) {
 	}
 	// From this, point we are dealing with an approved CSR
 	// Get CA in from ovn-ipsec-ca
-	caSecret, err := c.config.KubeClient.CoreV1().Secrets("kube-system").Get(context.TODO(), util.DefaultOVNIPSecCA, metav1.GetOptions{})
+	caSecret, err := c.config.KubeClient.CoreV1().Secrets(os.Getenv("POD_NAMESPACE")).Get(context.TODO(), util.DefaultOVNIPSecCA, metav1.GetOptions{})
 	if err != nil {
 		c.signerFailure(csr, "CAFailure",
 			fmt.Sprintf("Could not get CA certificate and key: %v", err))

pkg/daemon/ipsec.go

@@ -297,10 +297,6 @@ func (c *Controller) getCertManagerSignedCert(ctx context.Context, csrBytes []by
 
 func (c *Controller) getSignedCert(ctx context.Context, csrBytes []byte) ([]byte, error) {
 	csr := &v1.CertificateSigningRequest{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "certificates.k8s.io/v1",
-			Kind:       "CertificateSigningRequest",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "ovn-ipsec-" + os.Getenv("HOSTNAME"),
 		},