Skip to content

Commit

Permalink
🐛 Fix k8s.kublet caCertFile property (#2765)
Browse files Browse the repository at this point in the history 
According to the docs this has to be in the "authentication" category, not "authorization".

Related-to #1831

Signed-off-by: Christian Zunker <[email protected]>
  • Loading branch information
@czunker
czunker authored Dec 8, 2023
1 parent 42865df commit 2d341e2
Show file tree
Hide file tree
Showing 7 changed files with 186 additions and 187 deletions.
1 change: 1 addition & 0 deletions providers-sdk/v1/testutils/testdata/kubelet-aks.json
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions providers-sdk/v1/testutils/testdata/kubelet.json
View file

Large diffs are not rendered by default.

63 changes: 26 additions & 37 deletions providers/os/resources/kubelet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,13 @@ import (
"fmt"
"strings"

"github.com/spf13/afero"
kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"

"sigs.k8s.io/yaml"

"go.mondoo.com/cnquery/v9/llx"
"go.mondoo.com/cnquery/v9/providers-sdk/v1/plugin"
"go.mondoo.com/cnquery/v9/providers-sdk/v1/util/convert"
"go.mondoo.com/cnquery/v9/providers/os/connection/shared"
"go.mondoo.com/cnquery/v9/types"
)

const defaultKubeletConfig = "/var/lib/kubelet/config.yaml"
Expand Down Expand Up @@ -50,56 +47,48 @@ func initKubelet(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[str
configFilePath = path
}

provider, ok := runtime.Connection.(shared.Connection)
if !ok {
return nil, nil, fmt.Errorf("error getting operating system provider")
}
// AKS has no kubelet config file
configFileExists, err := afero.Exists(provider.FileSystem(), configFilePath)
f, err := CreateResource(runtime, "file", map[string]*llx.RawData{
"path": llx.StringData(configFilePath),
})
if err != nil {
return nil, nil, fmt.Errorf("error when checking whether config file exists: %v", err)
return nil, nil, err
}

if configFileExists {
f, err := CreateResource(runtime, "file", map[string]*llx.RawData{
"path": llx.StringData(configFilePath),
})
if err != nil {
return nil, nil, err
}
mqlFile, ok := f.(*mqlFile)
if !ok {
return nil, nil, err
}
args["configFile"] = llx.ResourceData(mqlFile, "file")
} else {
args["configFile"] = llx.NilData
mqlFile, ok := f.(*mqlFile)
if !ok {
return nil, nil, err
}
args["configFile"] = llx.ResourceData(mqlFile, "file")

return args, nil, nil
}

func (m *mqlKubelet) configuration() (map[string]interface{}, error) {
configFileData := ""
if m.ConfigFile.Data.GetContent() != nil {
configFileData = m.ConfigFile.Data.GetContent().Data
}
kubeletFlags := map[string]interface{}{}
if m.Process.Data.GetFlags() != nil {
kubeletFlags = m.Process.Data.GetFlags().Data
}
// I cannot re-use "mqlFile" here, as it is not read at this point in time
configuration, err := createConfiguration(kubeletFlags, configFilePath, provider, configFileExists)
configuration, err := createConfiguration(kubeletFlags, configFileData)
if err != nil {
return nil, nil, err
return nil, err
}
args["configuration"] = llx.MapData(configuration, types.String)

return args, nil, nil
return configuration, nil
}

// createConfiguration applies the kubelet defaults to the config and then
// merges the kubelet flags and the kubelet config file into a single map
// This map is representing the running state of the kubelet config
func createConfiguration(kubeletFlags map[string]interface{}, configFilePath string, provider shared.Connection, configFileExists bool) (map[string]interface{}, error) {
func createConfiguration(kubeletFlags map[string]interface{}, configFileContent string) (map[string]interface{}, error) {
kubeletConfig := kubeletconfigv1beta1.KubeletConfiguration{}
SetDefaults_KubeletConfiguration(&kubeletConfig)

// AKS has no kubelet config file
if configFileExists {
configFileContent, err := afero.ReadFile(provider.FileSystem(), configFilePath)
if err != nil {
return nil, fmt.Errorf("error when getting file content: %v", err)
}
err = yaml.Unmarshal([]byte(configFileContent), &kubeletConfig)
if configFileContent != "" {
err := yaml.Unmarshal([]byte(configFileContent), &kubeletConfig)
if err != nil {
return nil, fmt.Errorf("error when converting file content into KubeletConfiguration: %v", err)
}
Expand Down
12 changes: 6 additions & 6 deletions providers/os/resources/kubelet_flags.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,16 +150,16 @@ func mergeDeprecatedFlagsIntoConfig(kubeletConfig map[string]interface{}, flags
kubeletConfig["authentication"] = auth
}
if _, ok := flags["client-ca-file"]; ok {
authz := map[string]interface{}{}
if _, ok := kubeletConfig["authorization"]; ok {
authz = kubeletConfig["authorization"].(map[string]interface{})
auth := map[string]interface{}{}
if _, ok := kubeletConfig["authentication"]; ok {
auth = kubeletConfig["authentication"].(map[string]interface{})
}
x509 := map[string]interface{}{}
if _, ok := authz["x509"]; ok {
x509 = authz["x509"].(map[string]interface{})
if _, ok := auth["x509"]; ok {
x509 = auth["x509"].(map[string]interface{})
}
x509["clientCAFile"] = flags["client-ca-file"]
kubeletConfig["authorization"] = authz
kubeletConfig["authentication"] = auth
}
if _, ok := flags["authorization-mode"]; ok {
authz := map[string]interface{}{}
Expand Down
Loading

0 comments on commit 2d341e2

Please sign in to comment.