Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/zoomoid/tbctrl

A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.
https://github.com/zoomoid/tbctrl

controller go kubernetes

Last synced: 27 days ago
JSON representation

A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane automatically during cluster bootstrapping.

Host: GitHub
URL: https://github.com/zoomoid/tbctrl
Owner: zoomoid
Created: 2022-08-26T18:46:49.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2024-09-18T07:45:15.000Z (about 2 months ago)
Last Synced: 2024-09-18T10:12:41.385Z (about 2 months ago)
Topics: controller, go, kubernetes
Language: Go
Homepage:
Size: 390 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# zoomoid/tbctrl

A minimal Kubernetes controller to handle kubelet-serving certificate signing requests at the control plane
automatically during cluster bootstrapping.

For details, see

- and
- .

All this controller does is check some fields in the CSR to be plausible and to interfere as little
with regular CSRs as possible, only reconciles CSRs from "system:node:NODE_NAME".

For a controller that does more checks and in general is more secure, see . The repository also includes a threat model for security considerations, something
this project neglects for reasons of simplicity.

**If security is a major concern of yours, DO NOT USE this controller, as it can be leveraged to sign spoofed CSRs quite easily.**

## Deploy with Helm

Deploy the controller to a cluster with Helm by running

```bash
# Add the repo to your local helm repositories
$ helm repo add tbctrl https://zoomoid.github.io/tbctrl
# Install the controller into the cluster
$ helm install tls-bootstrapping-controller tbctrl/tbctrl -n kube-system
```

## Deploy from manifests

You can also use static manifests, but be aware of the configuration: by default metrics are enabled,
and the version is "latest".

```bash
# Deploy controller to kube-system namespace
$ kubectl apply -n kube-system -f https://raw.githubusercontent.com/zoomoid/tbctrl/main/manifests/tbctrl.yaml
```

You can also use the kustomization available in `./manifests/kustomization` as a base to customize the deployment without having to dig too deep into the YAML files.