{"id":16573363,"url":"https://github.com/zoomoid/tbctrl","last_synced_at":"2025-10-29T04:30:46.393Z","repository":{"id":58588797,"uuid":"529370957","full_name":"zoomoid/tbctrl","owner":"zoomoid","description":"A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.","archived":false,"fork":false,"pushed_at":"2024-09-18T07:45:15.000Z","size":399,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-09-18T10:12:41.385Z","etag":null,"topics":["controller","go","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zoomoid.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-26T18:46:49.000Z","updated_at":"2024-09-18T07:44:12.000Z","dependencies_parsed_at":"2023-11-12T21:24:37.531Z","dependency_job_id":"847476d7-5ab4-4d3b-ba61-04c7f0b3fb88","html_url":"https://github.com/zoomoid/tbctrl","commit_stats":{"total_commits":119,"total_committers":2,"mean_commits":59.5,"dds":0.4369747899159664,"last_synced_commit":"41e43d6393405c4d10637ea1470368302e29223c"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zoomoid%2Ftbctrl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zoomoid%2Ftbctrl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zoomoid%2Ftbctrl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zoomoid%2Ftbctrl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zoomoid","download_url":"https://codeload.github.com/zoomoid/tbctrl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219858508,"owners_count":16556043,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["controller","go","kubernetes"],"created_at":"2024-10-11T21:41:59.382Z","updated_at":"2025-10-29T04:30:41.137Z","avatar_url":"https://github.com/zoomoid.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# zoomoid/tbctrl\n\nA minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane\nautomatically during cluster bootstrapping.\n\nFor details, see\n\n- \u003chttps://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates\u003e and\n- \u003chttps://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs\u003e.\n\nAll this controller does is check some fields in the CSR to be plausible and to interfere as little\nwith regular CSRs as possible, only reconciles CSRs from \"system:node:NODE_NAME\".\n\nFor a controller that does more checks and in general is more secure, see \u003chttps://github.com/postfinance/kubelet-csr-approver\u003e. The repository also includes a threat model for security considerations, something\nthis project neglects for reasons of simplicity.\n\n**If security is a major concern of yours, DO NOT USE this controller, as it can be leveraged to sign spoofed CSRs quite easily.**\n\n## Deploy with Helm\n\nDeploy the controller to a cluster with Helm by running\n\n```bash\n# Add the repo to your local helm repositories\n$ helm repo add tbctrl https://zoomoid.github.io/tbctrl\n# Install the controller into the cluster\n$ helm install tls-bootstrapping-controller tbctrl/tbctrl -n kube-system\n```\n\n## Deploy from manifests\n\nYou can also use static manifests, but be aware of the configuration: by default metrics are enabled,\nand the version is \"latest\".\n\n```bash\n# Deploy controller to kube-system namespace\n$ kubectl apply -n kube-system -f https://raw.githubusercontent.com/zoomoid/tbctrl/main/manifests/tbctrl.yaml\n```\n\nYou can also use the kustomization available in `./manifests/kustomization` as a base to customize the deployment without having to dig too deep into the YAML files.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzoomoid%2Ftbctrl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzoomoid%2Ftbctrl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzoomoid%2Ftbctrl/lists"}