search

cruise-automation / k-rail

Kubernetes security tool for policy enforcement
Apache License 2.0
444 stars 55 forks source link

k-rail Webhook Fails Due to TLS SANs Issue + Temporary Workaround #93

Closed ossie-git closed 3 years ago

ossie-git commented 3 years ago

Hi,

I just read about k-rail yesterday and decided to take it for a test run. After installation (following the steps in the GitHub page), I then tried verifying the installation by deploying the non-compliant-deployment.yaml. However, I ran into this error:

$ k create -f non-compliant-deployment.yaml 
Error from server (InternalError): error when creating "non-compliant-deployment.yaml": Internal error occurred: failed calling webhook "k-rail.cruise-automation.github.com": Post "https://k-rail.k-rail.svc:443/?timeout=1s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

After some investigation, it appears that this is due to Kubernetes 1.19 being compiled with Golang 1.15 and that starting from Golang 1.15, certificates have to populate the SANs section, something which Helm doesn't currently do. They mention using an environment variable to temporarily disable this check but it looks like even this workaround will be disabled in Golang 1.16

I verified that my build uses Golang 1.15:

$ k version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-11T13:17:17Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.1", GitCommit:"206bcadf021e76c27513500ca24182692aabd17e", GitTreeState:"clean", BuildDate:"2020-09-14T07:30:52Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

Some related links:

https://github.com/helm/helm/issues/9046 https://github.com/kubesphere/kubesphere/issues/2928

As a temporary workaround, I added the following to my api-server's manifest:

env:
- name: GODEBUG
  value: x509ignoreCN=0

and it now works again. However, this is still a temporary workaround and it it looks like it won't work in future versions of Kubernetes

dustin-decker commented 3 years ago

Thanks for the report. This should be addressed by https://github.com/cruise-automation/k-rail/pull/97 which will be included in v2.6.0 later today