feat: add spiffe integration in master and worker

TessaIO · TessaIO · commit c77c370d0d49 · 2025-03-09T19:41:02.000+01:00
Signed-off-by: TessaIO &lt;ahmedgrati1999@gmail.com&gt;
diff --git a/cmd/nfd-master/main.go b/cmd/nfd-master/main.go
@@ -73,6 +73,8 @@ func main() {
 			args.Overrides.ResyncPeriod = overrides.ResyncPeriod
 		case "nfd-api-parallelism":
 			args.Overrides.NfdApiParallelism = overrides.NfdApiParallelism
+		case "enable-spiffe":
+			args.Overrides.EnableSpiffe = overrides.EnableSpiffe
 		}
 	})
 
@@ -140,6 +142,8 @@ func initFlags(flagset *flag.FlagSet) (*master.Args, *master.ConfigOverrideArgs)
 	flagset.Var(overrides.ResyncPeriod, "resync-period", "Specify the NFD API controller resync period.")
 	overrides.NfdApiParallelism = flagset.Int("nfd-api-parallelism", 10, "Defines the maximum number of goroutines responsible of updating nodes. "+
 		"Can be used for the throttling mechanism.")
+	overrides.EnableSpiffe = flagset.Bool("enable-spiffe", false,
+		"Enables the Spiffe signature verification of created CRDs. This is still an EXPERIMENTAL feature.")
 
 	return args, overrides
 }
diff --git a/cmd/nfd-worker/main.go b/cmd/nfd-worker/main.go
@@ -93,6 +93,8 @@ func parseArgs(flags *flag.FlagSet, osArgs ...string) *worker.Args {
 			args.Overrides.LabelSources = overrides.LabelSources
 		case "no-owner-refs":
 			args.Overrides.NoOwnerRefs = overrides.NoOwnerRefs
+		case "enable-spiffe":
+			args.Overrides.EnableSpiffe = overrides.EnableSpiffe
 		}
 	})
 
@@ -131,6 +133,8 @@ func initFlags(flagset *flag.FlagSet) (*worker.Args, *worker.ConfigOverrideArgs)
 	flagset.Var(overrides.LabelSources, "label-sources",
 		"Comma separated list of label sources. Special value 'all' enables all sources. "+
 			"Prefix the source name with '-' to disable it.")
+	overrides.EnableSpiffe = flagset.Bool("enable-spiffe", false,
+		"Enables the Spiffe signature verification of created CRDs. This is still an EXPERIMENTAL feature.")
 
 	return args, overrides
 }
diff --git a/go.sum b/go.sum
@@ -123,6 +123,27 @@ github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/Z
 github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
+github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
+github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
+github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
+github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
+github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
+github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
+github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
+github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
+github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
+github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
+github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw=
+github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI=
+github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
+github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g=
 github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
@@ -262,6 +283,7 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
diff --git a/pkg/nfd-master/nfd-master.go b/pkg/nfd-master/nfd-master.go
@@ -51,6 +51,13 @@ import (
 	"sigs.k8s.io/yaml"
 
 	nfdclientset "sigs.k8s.io/node-feature-discovery/api/generated/clientset/versioned"
+	klogutils "sigs.k8s.io/node-feature-discovery/pkg/utils/klog"
+	spiffe "sigs.k8s.io/node-feature-discovery/pkg/utils/spiffe"
+
+	taintutils "k8s.io/kubernetes/pkg/util/taints"
+	"sigs.k8s.io/yaml"
+
+	"sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 	"sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/nodefeaturerule"
 	"sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/validate"
@@ -60,6 +67,9 @@ import (
 	"sigs.k8s.io/node-feature-discovery/pkg/version"
 )
 
+// SocketPath specifies Spiffe Socket Path
+const SocketPath = "unix:///run/spire/sockets/agent.sock"
+
 // Labels are a Kubernetes representation of discovered features.
 type Labels map[string]string
 
@@ -92,6 +102,7 @@ type NFDConfig struct {
 	NfdApiParallelism int
 	Klog              klogutils.KlogConfigOpts
 	Restrictions      Restrictions
+	EnableSpiffe      bool
 }
 
 // LeaderElectionConfig contains the configuration for leader election
@@ -110,6 +121,7 @@ type ConfigOverrideArgs struct {
 	NoPublish         *bool
 	ResyncPeriod      *utils.DurationVal
 	NfdApiParallelism *int
+	EnableSpiffe      *bool
 }
 
 // Args holds command line arguments
@@ -149,7 +161,8 @@ type nfdMaster struct {
 	nfdClient      nfdclientset.Interface
 	updaterPool    *updaterPool
 	deniedNs
-	config *NFDConfig
+	config       *NFDConfig
+	spiffeClient *spiffe.SpiffeClient
 }
 
 // NewNfdMaster creates a new NfdMaster server instance.
@@ -206,6 +219,12 @@ func NewNfdMaster(opts ...NfdMasterOption) (NfdMaster, error) {
 
 	nfd.updaterPool = newUpdaterPool(nfd)
 
+	spiffeClient, err := spiffe.NewSpiffeClient(SocketPath)
+	if err != nil {
+		return nfd, err
+	}
+	nfd.spiffeClient = spiffeClient
+
 	return nfd, nil
 }
 
@@ -247,14 +266,15 @@ func newDefaultConfig() *NFDConfig {
 			RetryPeriod:   utils.DurationVal{Duration: time.Duration(2) * time.Second},
 			RenewDeadline: utils.DurationVal{Duration: time.Duration(10) * time.Second},
 		},
-		Klog: make(map[string]string),
 		Restrictions: Restrictions{
 			DisableLabels:            false,
 			DisableExtendedResources: false,
 			DisableAnnotations:       false,
 			AllowOverwrite:           true,
 			DenyNodeFeatureLabels:    false,
 		},
+		Klog:         make(map[string]string),
+		EnableSpiffe: false,
 	}
 }
 
@@ -677,6 +697,55 @@ func (m *nfdMaster) nfdAPIUpdateOneNode(cli k8sclient.Interface, node *corev1.No
 		return fmt.Errorf("failed to merge NodeFeature objects for node %q: %w", node.Name, err)
 	}
 
+	// Sort our objects
+	sort.Slice(objs, func(i, j int) bool {
+		// Objects in our nfd namespace gets into the beginning of the list
+		if objs[i].Namespace == m.namespace && objs[j].Namespace != m.namespace {
+			return true
+		}
+		if objs[i].Namespace != m.namespace && objs[j].Namespace == m.namespace {
+			return false
+		}
+		// After the nfd namespace, sort objects by their name
+		if objs[i].Name != objs[j].Name {
+			return objs[i].Name < objs[j].Name
+		}
+		// Objects with the same name are sorted by their namespace
+		return objs[i].Namespace < objs[j].Namespace
+	})
+
+	// If spiffe is enabled, we should filter out the non verified NFD objects
+	if m.config.EnableSpiffe {
+		objs, err = m.getVerifiedNFDObjects(objs)
+		if err != nil {
+			return err
+		}
+	}
+
+	klog.V(1).InfoS("processing of node initiated by NodeFeature API", "nodeName", node.Name)
+
+	features := nfdv1alpha1.NewNodeFeatureSpec()
+
+	if len(objs) > 0 {
+		// Merge in features
+		//
+		// NOTE: changing the rule api to support handle multiple objects instead
+		// of merging would probably perform better with lot less data to copy.
+		features = objs[0].Spec.DeepCopy()
+		if m.config.AutoDefaultNs {
+			features.Labels = addNsToMapKeys(features.Labels, nfdv1alpha1.FeatureLabelNs)
+		}
+		for _, o := range objs[1:] {
+			s := o.Spec.DeepCopy()
+			if m.config.AutoDefaultNs {
+				s.Labels = addNsToMapKeys(s.Labels, nfdv1alpha1.FeatureLabelNs)
+			}
+			s.MergeInto(features)
+		}
+
+		klog.V(4).InfoS("merged nodeFeatureSpecs", "newNodeFeatureSpec", utils.DelayedDumper(features))
+	}
+
 	// Update node labels et al. This may also mean removing all NFD-owned
 	// labels (et al.), for example  in the case no NodeFeature objects are
 	// present.
@@ -1187,6 +1256,9 @@ func (m *nfdMaster) configure(filepath string, overrides string) error {
 	if m.args.Overrides.NfdApiParallelism != nil {
 		c.NfdApiParallelism = *m.args.Overrides.NfdApiParallelism
 	}
+	if m.args.Overrides.EnableSpiffe != nil {
+		c.EnableSpiffe = *m.args.Overrides.EnableSpiffe
+	}
 
 	if c.NfdApiParallelism <= 0 {
 		return fmt.Errorf("the maximum number of concurrent labelers should be a non-zero positive number")
@@ -1387,3 +1459,27 @@ func patchNode(cli k8sclient.Interface, nodeName string, patches []utils.JsonPat
 func patchNodeStatus(cli k8sclient.Interface, nodeName string, patches []utils.JsonPatch) error {
 	return patchNode(cli, nodeName, patches, "status")
 }
+
+func (m *nfdMaster) getVerifiedNFDObjects(objs []*v1alpha1.NodeFeature) ([]*v1alpha1.NodeFeature, error) {
+	verifiedObjects := []*v1alpha1.NodeFeature{}
+
+	workerPrivateKey, workerPublicKey, err := m.spiffeClient.GetWorkerKeys()
+	if err != nil {
+		return verifiedObjects, err
+	}
+
+	for _, obj := range objs {
+		isSignatureVerified, err := spiffe.VerifyDataSignature(obj.Spec, obj.Annotations["signature"], workerPrivateKey, workerPublicKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to verify NodeFeature signature: %w", err)
+		}
+
+		if isSignatureVerified {
+			klog.InfoS("NodeFeature verified", "NodeFeature name", obj.Name)
+			verifiedObjects = append(verifiedObjects, obj)
+		} else {
+			klog.InfoS("NodeFeature not verified, skipping...", "NodeFeature name", obj.Name)
+		}
+	}
+	return verifiedObjects, nil
+}
diff --git a/pkg/nfd-worker/nfd-worker.go b/pkg/nfd-worker/nfd-worker.go
@@ -17,6 +17,9 @@ limitations under the License.
 package nfdworker
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	b64 "encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -45,6 +48,7 @@ import (
 	nfdclient "sigs.k8s.io/node-feature-discovery/api/generated/clientset/versioned"
 	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 	"sigs.k8s.io/node-feature-discovery/pkg/utils"
+	spiffe "sigs.k8s.io/node-feature-discovery/pkg/utils/spiffe"
 	"sigs.k8s.io/node-feature-discovery/pkg/version"
 	"sigs.k8s.io/node-feature-discovery/source"
 
@@ -62,6 +66,9 @@ import (
 	_ "sigs.k8s.io/node-feature-discovery/source/usb"
 )
 
+// SocketPath specifies Spiffe Socket Path
+const SocketPath = "unix:///run/spire/sockets/agent.sock"
+
 // NfdWorker is the interface for nfd-worker daemon
 type NfdWorker interface {
 	Run() error
@@ -83,6 +90,7 @@ type coreConfig struct {
 	Sources        *[]string
 	LabelSources   []string
 	SleepInterval  utils.DurationVal
+	EnableSpiffe   bool
 }
 
 type sourcesConfig map[string]source.Config
@@ -109,6 +117,7 @@ type ConfigOverrideArgs struct {
 	NoOwnerRefs    *bool
 	FeatureSources *utils.StringSliceVal
 	LabelSources   *utils.StringSliceVal
+	EnableSpiffe   *bool
 }
 
 type nfdWorker struct {
@@ -122,6 +131,7 @@ type nfdWorker struct {
 	featureSources      []source.FeatureSource
 	labelSources        []source.LabelSource
 	ownerReference      []metav1.OwnerReference
+	spiffeClient        *spiffe.SpiffeClient
 }
 
 // This ticker can represent infinite and normal intervals.
@@ -188,6 +198,12 @@ func NewNfdWorker(opts ...NfdWorkerOption) (NfdWorker, error) {
 		nfd.k8sClient = cli
 	}
 
+	spiffeClient, err := spiffe.NewSpiffeClient(SocketPath)
+	if err != nil {
+		return nfd, err
+	}
+	nfd.spiffeClient = spiffeClient
+
 	return nfd, nil
 }
 
@@ -509,6 +525,9 @@ func (w *nfdWorker) configure(filepath string, overrides string) error {
 	if w.args.Overrides.LabelSources != nil {
 		c.Core.LabelSources = *w.args.Overrides.LabelSources
 	}
+	if w.args.Overrides.EnableSpiffe != nil {
+		c.Core.EnableSpiffe = *w.args.Overrides.EnableSpiffe
+	}
 
 	c.Core.sanitize()
 
@@ -643,6 +662,14 @@ func (m *nfdWorker) updateNodeFeatureObject(labels Labels) error {
 		}
 		klog.InfoS("creating NodeFeature object", "nodefeature", klog.KObj(nfr))
 
+		// If Spiffe is enabled, we add the signature to the annotations section
+		if m.config.Core.EnableSpiffe {
+			err = m.signNodeFeatureCR(nfr)
+			if err != nil {
+				return err
+			}
+		}
+
 		nfrCreated, err := cli.NfdV1alpha1().NodeFeatures(namespace).Create(context.TODO(), nfr, metav1.CreateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to create NodeFeature object %q: %w", nfr.Name, err)
@@ -661,6 +688,13 @@ func (m *nfdWorker) updateNodeFeatureObject(labels Labels) error {
 			Labels:   labels,
 		}
 
+		if m.config.Core.EnableSpiffe {
+			err = m.signNodeFeatureCR(nfrUpdated)
+			if err != nil {
+				return err
+			}
+		}
+
 		if !apiequality.Semantic.DeepEqual(nfr, nfrUpdated) {
 			klog.InfoS("updating NodeFeature object", "nodefeature", klog.KObj(nfr))
 			nfrUpdated, err = cli.NfdV1alpha1().NodeFeatures(namespace).Update(context.TODO(), nfrUpdated, metav1.UpdateOptions{})
@@ -718,3 +752,23 @@ func (c *sourcesConfig) UnmarshalJSON(data []byte) error {
 
 	return nil
 }
+
+// signNodeFeatureCR add the signature to the annotations of a given NodeFeature CR
+func (m *nfdWorker) signNodeFeatureCR(nfr *nfdv1alpha1.NodeFeature) error {
+	workerPrivateKey, _, err := m.spiffeClient.GetWorkerKeys()
+
+	if err != nil {
+		return fmt.Errorf("error while getting worker keys: %w", err)
+	}
+
+	signature, err := spiffe.SignData(nfr.Spec, workerPrivateKey)
+
+	if err != nil {
+		return fmt.Errorf("failed to sign CRD data using Spiffe: %w", err)
+	}
+
+	encodedSignature := b64.StdEncoding.EncodeToString(signature)
+	nfr.ObjectMeta.Annotations["signature"] = encodedSignature
+
+	return nil
+}
diff --git a/pkg/utils/spiffe/spiffe.go b/pkg/utils/spiffe/spiffe.go
diff --git a/pkg/utils/spiffe/spiffe_test.go b/pkg/utils/spiffe/spiffe_test.go
