Workload Identity: Kubernetes Workload Attestation #44209

strideynet · 2024-07-15T13:20:37Z

Manifests used in manual testing:

# Required cluster role to allow spire-agent to query k8s API server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tbot
rules:
  - apiGroups: [""]
    resources: ["pods","nodes","nodes/proxy"]
    verbs: ["get"]
---
# Binds above cluster role to spire-agent service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tbot
subjects:
  - kind: ServiceAccount
    name: tbot
    namespace: default
roleRef:
  kind: ClusterRole
  name: tbot
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tbot
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tbot-config-1
  namespace: default
data:
  tbot.yaml: |
    version: v2
    onboarding:
      join_method: kubernetes
      # ensure token is set to the name of the join token you created earlier
      token: workload-attestation-bot
    storage:
      # a memory destination is used for the bots own state since the kubernetes
      # join method does not require persistence.
      type: memory
    # ensure this is configured to the address of your Teleport Proxy Service.
    proxy_server: redacted
    services:
      - type: spiffe-workload-api
        listen: unix:///run/tbot/sockets/workload.sock
        attestor:
          kubernetes:
            enabled: true
            # If there's any configuration needed for the k8s attestor, it can
            # be added here - but it should work out of the box like this for
            # most clusters.
        svids:
          - path: /my-service
            rules:
              - kubernetes:
                  namespace: default
                  service_account: tbot
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: tbot
spec:
  selector:
      matchLabels:
        app: tbot
  template:
    metadata:
      labels:
        app: tbot
    spec:
      securityContext:
        runAsUser: 0
        runAsGroup: 0
      hostPID: true
      containers:
        - name: tbot
          image: tbot-distroless
          imagePullPolicy: IfNotPresent
          securityContext:
            privileged: true
          args:
            - start
            - -c
            - /config/tbot.yaml
            - --log-format
            - json
          volumeMounts:
            - mountPath: /config
              name: config
            - mountPath: /var/run/secrets/tokens
              name: join-sa-token
            - name: tbot-sockets
              mountPath: /run/tbot/sockets
              readOnly: false
          env:
            - name: TELEPORT_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: KUBERNETES_TOKEN_PATH
              value: /var/run/secrets/tokens/join-sa-token
      serviceAccountName: tbot
      volumes:
        - name: tbot-sockets
          hostPath:
            path: /run/tbot/sockets
            type: DirectoryOrCreate
        - name: config
          configMap:
            name: tbot-config-1
        - name: join-sa-token
          projected:
            sources:
              - serviceAccountToken:
                  path: join-sa-token
                  # 600 seconds is the minimum that Kubernetes supports. We
                  # recommend this value is used.
                  expirationSeconds: 600
                  # `example.teleport.sh` must be replaced with the name of
                  # your Teleport cluster.
                  audience: redacted

Tested on GCP and my local docker desktop cluster.

changelog: Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets.

…x attestation

strideynet · 2024-07-19T15:16:10Z

I'd like to get this manually tested on EKS and AKS before releasing this.

lib/tbot/config/service_spiffe_workload_api.go

timothyb89

We discussed my issue offline, turns out my bot role was misconfigured. spiffe-helper is happily issuing SVIDs now that there is in fact a valid allow: rule for the path.

LGTM otherwise!

orca-security-us

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0 0 0 0	View in Orca
Passed	Secrets	0 0 0 0	View in Orca
Failed	Vulnerabilities	1 0 0 0	View in Orca

☢️ The following Vulnerabilities (CVEs) have been detected

	PACKAGE	FILE	CVE ID	INSTALLED VERSION	FIXED VERSION
	github.com/docker/docker	./go.mod	CVE-2024-41110	26.1.1+incompatible	23.0.14, 26.1.4, 27.1.0	View in code

strideynet · 2024-07-31T09:20:49Z

Orca Security Scan Summary

Status Check Issues by priority
Passed Infrastructure as Code 0 0 0 0 View in Orca
Passed Secrets 0 0 0 0 View in Orca
Failed Vulnerabilities 1 0 0 0 View in Orca
☢️ The following Vulnerabilities (CVEs) have been detected

PACKAGE FILE CVE ID INSTALLED VERSION FIXED VERSION
github.com/docker/docker ./go.mod CVE-2024-41110 26.1.1+incompatible 23.0.14, 26.1.4, 27.1.0 View in code

This is fixed on master, will merge master in this branch.

…es-workload-attestation

public-teleport-github-review-bot · 2024-07-31T14:53:43Z

@strideynet See the table below for backport results.

Branch	Result
branch/v15	Failed
branch/v16	Failed

* Start hacking on resolving pod/container id from pid * Add godoc comments * Tidy attestation into well defined types * Use gopsutil to determine gid/uid on unix systems * Start threading through config * Update tests * Start working TLS support into kubelet api client * Thread through configuration to yaml * Support loading the CA * Start testing with real cluster/bug fixes * Simplify by removing container lookup * Add new attestation rules/tests for new attestation rules * Add test that leverages example mountfiles * Start handling kubelet client auth more elegantly * Add handling of custom CA values * Tie together configuration validation * Update YAML tests * Go mod/sum * Ensure we use the Effective UID/GID rather than "Real" UID/GID in Unix attestation * Add testdata from GCP * Add test of Kubernetes attestation with mock kubelet API * Add test for UnixAttestor * Update YAML goldenfile * Appease liinter * Remove change to session.go * Add timeout to Kubelet client * Import `time` * Go mod tidy * Go mod tidy * Remove TODO about renaming * Rename attestor -> attestors * Add stubs on windows * Add missing license header

…4884) * Workload Identity: Kubernetes Workload Attestation (#44209) * Start hacking on resolving pod/container id from pid * Add godoc comments * Tidy attestation into well defined types * Use gopsutil to determine gid/uid on unix systems * Start threading through config * Update tests * Start working TLS support into kubelet api client * Thread through configuration to yaml * Support loading the CA * Start testing with real cluster/bug fixes * Simplify by removing container lookup * Add new attestation rules/tests for new attestation rules * Add test that leverages example mountfiles * Start handling kubelet client auth more elegantly * Add handling of custom CA values * Tie together configuration validation * Update YAML tests * Go mod/sum * Ensure we use the Effective UID/GID rather than "Real" UID/GID in Unix attestation * Add testdata from GCP * Add test of Kubernetes attestation with mock kubelet API * Add test for UnixAttestor * Update YAML goldenfile * Appease liinter * Remove change to session.go * Add timeout to Kubelet client * Import `time` * Go mod tidy * Go mod tidy * Remove TODO about renaming * Rename attestor -> attestors * Add stubs on windows * Add missing license header * Update go.mod go.sum

strideynet added 25 commits July 15, 2024 14:10

Start hacking on resolving pod/container id from pid

ce38e73

Add godoc comments

8b3b89d

Tidy attestation into well defined types

e980ab9

Use gopsutil to determine gid/uid on unix systems

8a07472

Start threading through config

bc44ce9

Update tests

864e943

Start working TLS support into kubelet api client

3d324ae

Thread through configuration to yaml

d225920

Support loading the CA

252efe5

Start testing with real cluster/bug fixes

7283b11

Simplify by removing container lookup

2af32d4

Add new attestation rules/tests for new attestation rules

3fa1da0

Add test that leverages example mountfiles

8da1eaf

Start handling kubelet client auth more elegantly

ea478ce

Add handling of custom CA values

c0eca47

Tie together configuration validation

35b31a2

Update YAML tests

8b29f96

Go mod/sum

7c8cbc6

Ensure we use the Effective UID/GID rather than "Real" UID/GID in Uni…

9e227ad

…x attestation

Add testdata from GCP

f5853e3

Add test of Kubernetes attestation with mock kubelet API

333d3c7

Add test for UnixAttestor

0067ca3

Update YAML goldenfile

b5caea3

Appease liinter

13d9107

Remove change to session.go

b3bd851

strideynet added backport/branch/v15 backport/branch/v16 labels Jul 19, 2024

strideynet commented Jul 19, 2024

View reviewed changes

lib/tbot/config/service_spiffe_workload_api.go Outdated Show resolved Hide resolved

strideynet marked this pull request as ready for review July 19, 2024 15:17

timothyb89 approved these changes Jul 31, 2024

View reviewed changes

Add timeout to Kubelet client

44b870d

orca-security-us bot reviewed Jul 31, 2024

View reviewed changes

strideynet added 2 commits July 31, 2024 10:10

Import time

b1daf23

Go mod tidy

411ff24

strideynet added 4 commits July 31, 2024 10:29

Merge remote-tracking branch 'origin/master' into strideynet/kubernet…

632dc46

…es-workload-attestation

Go mod tidy

1a15a4a

Remove TODO about renaming

6435af6

Rename attestor -> attestors

dddc883

ryanclark approved these changes Jul 31, 2024

View reviewed changes

public-teleport-github-review-bot bot removed the request for review from fheinecke July 31, 2024 10:29

tigrato approved these changes Jul 31, 2024

View reviewed changes

strideynet added this pull request to the merge queue Jul 31, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 31, 2024

Add stubs on windows

85416ac

strideynet enabled auto-merge July 31, 2024 12:37

Add missing license header

a7c3e4b

strideynet added this pull request to the merge queue Jul 31, 2024

Merged via the queue into master with commit 6922aa0 Jul 31, 2024
41 checks passed

strideynet deleted the strideynet/kubernetes-workload-attestation branch July 31, 2024 14:52

strideynet mentioned this pull request Jul 31, 2024

[v16] Workload Identity: Kubernetes Workload Attestation (#44209) #44883

Merged

strideynet mentioned this pull request Jul 31, 2024

[v15] Workload Identity: Kubernetes Workload Attestation (#44209) #44884

Merged

strideynet mentioned this pull request Aug 12, 2024

Machine ID: Document Kubernetes Workload Attestation #45369

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Workload Identity: Kubernetes Workload Attestation #44209

Workload Identity: Kubernetes Workload Attestation #44209

strideynet commented Jul 15, 2024 •

edited

Loading

strideynet commented Jul 19, 2024

timothyb89 left a comment

orca-security-us bot left a comment •

edited

Loading

strideynet commented Jul 31, 2024 •

edited

Loading

Orca Security Scan Summary

public-teleport-github-review-bot bot commented Jul 31, 2024

Workload Identity: Kubernetes Workload Attestation #44209

Workload Identity: Kubernetes Workload Attestation #44209

Conversation

strideynet commented Jul 15, 2024 • edited Loading

strideynet commented Jul 19, 2024

timothyb89 left a comment

Choose a reason for hiding this comment

orca-security-us bot left a comment • edited Loading

Choose a reason for hiding this comment

Orca Security Scan Summary

strideynet commented Jul 31, 2024 • edited Loading

Orca Security Scan Summary

public-teleport-github-review-bot bot commented Jul 31, 2024

strideynet commented Jul 15, 2024 •

edited

Loading

orca-security-us bot left a comment •

edited

Loading

strideynet commented Jul 31, 2024 •

edited

Loading