From 29a5739b7ef54cb8f1e5872b5cd58bfeefc0991e Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Thu, 23 Jan 2025 22:20:13 +0000 Subject: [PATCH] Remove local restriction for deferred node password validation Restricting deferred node password validation to only requests from the local node is not possible without breaking split-role cluster cold start. There are too many cases where node password secrets may not yet be available due to the apiserver not being up. Signed-off-by: Brad Davidson --- pkg/nodepassword/validate.go | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/pkg/nodepassword/validate.go b/pkg/nodepassword/validate.go index 272528b99e..43cef5c802 100644 --- a/pkg/nodepassword/validate.go +++ b/pkg/nodepassword/validate.go @@ -2,7 +2,6 @@ package nodepassword import ( "context" - "net" "net/http" "os" "path" @@ -63,20 +62,15 @@ func GetNodeAuthValidator(ctx context.Context, control *config.Control) NodeAuth return "", http.StatusBadRequest, errors.New("header node name does not match auth node name") } - // get client address, to see if deferred node password validation should be allowed when the apiserver - // is not available. Deferred password validation is only allowed for requests from the local client. - client, _, _ := net.SplitHostPort(req.RemoteAddr) - isLocal := client == "127.0.0.1" || client == "::1" || client == control.BindAddress - if secretClient == nil || nodeClient == nil { if runtime.Core != nil { // initialize the client if we can secretClient = runtime.Core.Core().V1().Secret() nodeClient = runtime.Core.Core().V1().Node() - } else if isLocal && node.Name == os.Getenv("NODE_NAME") { + } else if node.Name == os.Getenv("NODE_NAME") { // If we're verifying our own password, verify it locally and ensure a secret later. return verifyLocalPassword(ctx, control, &mu, deferredNodes, node) - } else if isLocal && control.DisableAPIServer && !isNodeAuth { + } else if control.DisableAPIServer && !isNodeAuth { // If we're running on an etcd-only node, and the request didn't use Node Identity auth, // defer node password verification until an apiserver joins the cluster. return verifyRemotePassword(ctx, control, &mu, deferredNodes, node)