mirror of https://github.com/kubernetes/kops.git
azure: Verify VM ID when registering nodes
This commit is contained in:
Ciprian Hacman
parent
15b44bad52
commit
576ef5ea48
|
|
@ -43,23 +43,28 @@ func (h *azureAuthenticator) CreateToken(body []byte) (string, error) {
|
||||||
return "", fmt.Errorf("querying instance metadata: %w", err)
|
return "", fmt.Errorf("querying instance metadata: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vmId := m.Compute.VMID
|
||||||
|
if vmId == "" {
|
||||||
|
return "", fmt.Errorf("missing virtual machine ID")
|
||||||
|
}
|
||||||
|
|
||||||
// The fully qualified VMSS VM resource ID format is:
|
// The fully qualified VMSS VM resource ID format is:
|
||||||
// /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS_NAME/virtualMachines/VMSS_INDEX
|
// /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Compute/virtualMachineScaleSets/VMSS_NAME/virtualMachines/VMSS_INDEX
|
||||||
r := strings.Split(m.Compute.ResourceID, "/")
|
r := strings.Split(m.Compute.ResourceID, "/")
|
||||||
if len(r) != 11 || r[7] != "virtualMachineScaleSets" || r[9] != "virtualMachines" {
|
if len(r) != 11 || r[7] != "virtualMachineScaleSets" || r[9] != "virtualMachines" {
|
||||||
return "", fmt.Errorf("unexpected resource ID format: %q", m.Compute.ResourceID)
|
return "", fmt.Errorf("unexpected resource ID format: %q", m.Compute.ResourceID)
|
||||||
}
|
}
|
||||||
|
|
||||||
vmssName := r[8]
|
vmssName := r[8]
|
||||||
vmssIndex := r[10]
|
vmssIndex := r[10]
|
||||||
|
|
||||||
return AzureAuthenticationTokenPrefix + vmssName + " " + vmssIndex, nil
|
return AzureAuthenticationTokenPrefix + vmId + " " + vmssName + " " + vmssIndex, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type instanceComputeMetadata struct {
|
type instanceComputeMetadata struct {
|
||||||
ResourceGroupName string `json:"resourceGroupName"`
|
ResourceGroupName string `json:"resourceGroupName"`
|
||||||
ResourceID string `json:"resourceId"`
|
ResourceID string `json:"resourceId"`
|
||||||
SubscriptionID string `json:"subscriptionId"`
|
SubscriptionID string `json:"subscriptionId"`
|
||||||
|
VMID string `json:"vmId"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type instanceMetadata struct {
|
type instanceMetadata struct {
|
||||||
|
|
|
||||||
|
|
@ -58,16 +58,23 @@ func (a azureVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request
|
||||||
}
|
}
|
||||||
|
|
||||||
v := strings.Split(strings.TrimPrefix(token, AzureAuthenticationTokenPrefix), " ")
|
v := strings.Split(strings.TrimPrefix(token, AzureAuthenticationTokenPrefix), " ")
|
||||||
if len(v) != 2 {
|
if len(v) != 3 {
|
||||||
return nil, fmt.Errorf("incorrect token format")
|
return nil, fmt.Errorf("incorrect token format")
|
||||||
}
|
}
|
||||||
vmssName := v[0]
|
vmId := v[0]
|
||||||
vmssIndex := v[1]
|
vmssName := v[1]
|
||||||
|
vmssIndex := v[2]
|
||||||
|
|
||||||
vm, err := a.client.vmsClient.Get(ctx, a.client.resourceGroup, vmssName, vmssIndex, "")
|
vm, err := a.client.vmsClient.Get(ctx, a.client.resourceGroup, vmssName, vmssIndex, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("getting info for VMSS virtual machine %q #%s: %w", vmssName, vmssIndex, err)
|
return nil, fmt.Errorf("getting info for VMSS virtual machine %q #%s: %w", vmssName, vmssIndex, err)
|
||||||
}
|
}
|
||||||
|
if vm.VMID == nil {
|
||||||
|
return nil, fmt.Errorf("determining VMID for VMSS %q virtual machine #%s", vmssName, vmssIndex)
|
||||||
|
}
|
||||||
|
if vmId != *vm.VMID {
|
||||||
|
return nil, fmt.Errorf("matching VMID %q for VMSS %q virtual machine #%s", vmId, vmssName, vmssIndex)
|
||||||
|
}
|
||||||
if vm.OsProfile == nil || *vm.OsProfile.ComputerName == "" {
|
if vm.OsProfile == nil || *vm.OsProfile.ComputerName == "" {
|
||||||
return nil, fmt.Errorf("determining ComputerName for VMSS %q virtual machine #%s", vmssName, vmssIndex)
|
return nil, fmt.Errorf("determining ComputerName for VMSS %q virtual machine #%s", vmssName, vmssIndex)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue