/* Copyright 2017 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Package cleaner implements an automated cleaner that does garbage collection // on CSRs that meet specific criteria. With automated CSR requests and // automated approvals, the volume of CSRs only increases over time, at a rapid // rate if the certificate duration is short. package cleaner import ( "crypto/x509" "encoding/pem" "fmt" "time" "k8s.io/klog" capi "k8s.io/api/certificates/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" certificatesinformers "k8s.io/client-go/informers/certificates/v1beta1" csrclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" certificateslisters "k8s.io/client-go/listers/certificates/v1beta1" ) const ( // The interval to list all CSRs and check each one against the criteria to // automatically clean it up. pollingInterval = 1 * time.Hour // The time periods after which these different CSR statuses should be // cleaned up. approvedExpiration = 1 * time.Hour deniedExpiration = 1 * time.Hour pendingExpiration = 24 * time.Hour ) // CSRCleanerController is a controller that garbage collects old certificate // signing requests (CSRs). Since there are mechanisms that automatically // create CSRs, and mechanisms that automatically approve CSRs, in order to // prevent a build up of CSRs over time, it is necessary to GC them. CSRs will // be removed if they meet one of the following criteria: the CSR is Approved // with a certificate and is old enough to be past the GC issued deadline, the // CSR is denied and is old enough to be past the GC denied deadline, the CSR // is Pending and is old enough to be past the GC pending deadline, the CSR is // approved with a certificate and the certificate is expired. type CSRCleanerController struct { csrClient csrclient.CertificateSigningRequestInterface csrLister certificateslisters.CertificateSigningRequestLister } // NewCSRCleanerController creates a new CSRCleanerController. func NewCSRCleanerController( csrClient csrclient.CertificateSigningRequestInterface, csrInformer certificatesinformers.CertificateSigningRequestInformer, ) *CSRCleanerController { return &CSRCleanerController{ csrClient: csrClient, csrLister: csrInformer.Lister(), } } // Run the main goroutine responsible for watching and syncing jobs. func (ccc *CSRCleanerController) Run(workers int, stopCh <-chan struct{}) { defer utilruntime.HandleCrash() klog.Infof("Starting CSR cleaner controller") defer klog.Infof("Shutting down CSR cleaner controller") for i := 0; i < workers; i++ { go wait.Until(ccc.worker, pollingInterval, stopCh) } <-stopCh } // worker runs a thread that dequeues CSRs, handles them, and marks them done. func (ccc *CSRCleanerController) worker() { csrs, err := ccc.csrLister.List(labels.Everything()) if err != nil { klog.Errorf("Unable to list CSRs: %v", err) return } for _, csr := range csrs { if err := ccc.handle(csr); err != nil { klog.Errorf("Error while attempting to clean CSR %q: %v", csr.Name, err) } } } func (ccc *CSRCleanerController) handle(csr *capi.CertificateSigningRequest) error { isIssuedExpired, err := isIssuedExpired(csr) if err != nil { return err } if isIssuedPastDeadline(csr) || isDeniedPastDeadline(csr) || isPendingPastDeadline(csr) || isIssuedExpired { if err := ccc.csrClient.Delete(csr.Name, nil); err != nil { return fmt.Errorf("unable to delete CSR %q: %v", csr.Name, err) } } return nil } // isIssuedExpired checks if the CSR has been issued a certificate and if the // expiration of the certificate (the NotAfter value) has passed. func isIssuedExpired(csr *capi.CertificateSigningRequest) (bool, error) { isExpired, err := isExpired(csr) if err != nil { return false, err } for _, c := range csr.Status.Conditions { if c.Type == capi.CertificateApproved && isIssued(csr) && isExpired { klog.Infof("Cleaning CSR %q as the associated certificate is expired.", csr.Name) return true, nil } } return false, nil } // isPendingPastDeadline checks if the certificate has a Pending status and the // creation time of the CSR is passed the deadline that pending requests are // maintained for. func isPendingPastDeadline(csr *capi.CertificateSigningRequest) bool { // If there are no Conditions on the status, the CSR will appear via // `kubectl` as `Pending`. if len(csr.Status.Conditions) == 0 && isOlderThan(csr.CreationTimestamp, pendingExpiration) { klog.Infof("Cleaning CSR %q as it is more than %v old and unhandled.", csr.Name, pendingExpiration) return true } return false } // isDeniedPastDeadline checks if the certificate has a Denied status and the // creation time of the CSR is passed the deadline that denied requests are // maintained for. func isDeniedPastDeadline(csr *capi.CertificateSigningRequest) bool { for _, c := range csr.Status.Conditions { if c.Type == capi.CertificateDenied && isOlderThan(c.LastUpdateTime, deniedExpiration) { klog.Infof("Cleaning CSR %q as it is more than %v old and denied.", csr.Name, deniedExpiration) return true } } return false } // isIssuedPastDeadline checks if the certificate has an Issued status and the // creation time of the CSR is passed the deadline that issued requests are // maintained for. func isIssuedPastDeadline(csr *capi.CertificateSigningRequest) bool { for _, c := range csr.Status.Conditions { if c.Type == capi.CertificateApproved && isIssued(csr) && isOlderThan(c.LastUpdateTime, approvedExpiration) { klog.Infof("Cleaning CSR %q as it is more than %v old and approved.", csr.Name, approvedExpiration) return true } } return false } // isOlderThan checks that t is a non-zero time after time.Now() + d. func isOlderThan(t metav1.Time, d time.Duration) bool { return !t.IsZero() && t.Sub(time.Now()) < -1*d } // isIssued checks if the CSR has `Issued` status. There is no explicit // 'Issued' status. Implicitly, if there is a certificate associated with the // CSR, the CSR statuses that are visible via `kubectl` will include 'Issued'. func isIssued(csr *capi.CertificateSigningRequest) bool { return csr.Status.Certificate != nil } // isExpired checks if the CSR has a certificate and the date in the `NotAfter` // field has gone by. func isExpired(csr *capi.CertificateSigningRequest) (bool, error) { if csr.Status.Certificate == nil { return false, nil } block, _ := pem.Decode(csr.Status.Certificate) if block == nil { return false, fmt.Errorf("expected the certificate associated with the CSR to be PEM encoded") } certs, err := x509.ParseCertificates(block.Bytes) if err != nil { return false, fmt.Errorf("unable to parse certificate data: %v", err) } return time.Now().After(certs[0].NotAfter), nil }