in internal/node/hybrid/kubelet_cert_validator.go [17:64]
func ValidateKubeletCert(logger *zap.Logger, installRoot string, ca []byte) error {
logger.Info("Validating kubelet certificate...")
certPath := filepath.Join(installRoot, kubelet.KubeletCurrentCertPath)
if _, err := os.Stat(certPath); os.IsNotExist(err) {
// No existing cert, validation passes
return nil
} else if err != nil {
return fmt.Errorf("checking kubelet certificate: %v", err)
}
certData, err := os.ReadFile(certPath)
if err != nil {
return fmt.Errorf("reading kubelet certificate: %v", err)
}
block, _ := pem.Decode(certData)
if block == nil {
return fmt.Errorf("parsing kubelet certificate")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return fmt.Errorf("parsing kubelet certificate: %v", err)
}
now := time.Now()
if now.After(cert.NotAfter) {
// expired certs will be regenerated by kubelet, no need to fail
return nil
}
caPool := x509.NewCertPool()
if !caPool.AppendCertsFromPEM(ca) {
return fmt.Errorf("parsing cluster CA certificate")
}
// Verify the certificate against the cluster's CA
opts := x509.VerifyOptions{
Roots: caPool,
CurrentTime: now,
}
if _, err := cert.Verify(opts); err != nil {
return fmt.Errorf("kubelet certificate is not valid for the current cluster. Please remove the kubelet server certificate file %s or use \"--skip kubelet-cert-validation\" if this is expected", certPath)
}
return nil
}