Skip to content

Commit

Permalink
Allow CSR that contains either IP or DNS as SANs
Browse files Browse the repository at this point in the history 
In some environments, kubelet may only send IP addresses or DNS
address as SANs in CSR. For example, kubelet which starts with
`--hostname-override=IP_ADDRRES` only sends IP addresses.
So we should allow this CSR.
  • Loading branch information
@yuanying
yuanying committed Mar 23, 2020
1 parent 33a7f96 commit a89c0d0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/controller/certificatesigningrequest/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func isNodeServingCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certifi
klog.Warningf("Org does not match: %s", x509cr.Subject.Organization)
return false
}
if (len(x509cr.DNSNames) < 1) || (len(x509cr.IPAddresses) < 1) {
if (len(x509cr.DNSNames) < 1) && (len(x509cr.IPAddresses) < 1) {
return false
}
if !hasExactUsages(csr, kubeletServerUsages) {
Expand Down

0 comments on commit a89c0d0

Please sign in to comment.