func()

in internal/node/validate.go [64:119]

• 45 lines of code
• 7 McCabe index (conditional complexity)

func (a APIServerValidator) CheckIdentity(ctx context.Context, informer validation.Informer, node *api.NodeConfig) error {
	var err error
	kubeletVersion, err := a.kubelet.Version()
	if err != nil {
		return err
	}

	// 1.27 and below don't allow SelfSubjectReview requests from nodes
	if semver.Compare(kubeletVersion, "v1.28.0") < 0 {
		return nil
	}

	name := "kubernetes-node-identity"
	informer.Starting(ctx, name, "Validating Kubernetes identity matches a Node identity")
	defer func() {
		informer.Done(ctx, name, err)
	}()

	client, err := a.client()
	if err != nil {
		return err
	}

	self := &authenticationv1.SelfSubjectReview{}

	self, err = client.AuthenticationV1().SelfSubjectReviews().Create(ctx, self, metav1.CreateOptions{})
	if err != nil {
		err = validation.WithRemediation(err, badPermissionsRemediation)
		return err
	}

	if !slices.Contains(self.Status.UserInfo.Groups, "system:nodes") {
		err = validation.WithRemediation(
			fmt.Errorf(
				"node identity %s for principal %s does not belong to the group 'system:nodes'",
				self.Status.UserInfo.Username, principalARN(self),
			),
			badPermissionsRemediation,
		)

		return err
	}

	if !strings.HasPrefix(self.Status.UserInfo.Username, "system:node:") {
		err = validation.WithRemediation(
			fmt.Errorf("node identity %s for principal %s does not match a node identity, username should start with 'system:node:'",
				self.Status.UserInfo.Username, principalARN(self),
			),
			badPermissionsRemediation,
		)

		return err
	}

	return nil
}