Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure KubeArmor gRPC Endpoint #1464

Closed
daemon1024 opened this issue Oct 18, 2023 · 4 comments · Fixed by #1526
Closed

Secure KubeArmor gRPC Endpoint #1464

daemon1024 opened this issue Oct 18, 2023 · 4 comments · Fixed by #1526
Assignees
@rksharma95

Comments

@daemon1024
Copy link
Member

We use gRPC Insecure

https://github.com/kubearmor/kubearmor-relay-server/blob/34b9f3bd270e3edf6fbe3aae91504cc5f7f83ee3/relay-server/server/relayServer.go#L311
daemon1024 added a commit to kubearmor/kubearmor-relay-server that referenced this issue Oct 18, 2023
@daemon1024
hotfix(relay): exclude G402 from gosec scans
d75ef68 
Include it back once we handle kubearmor/KubeArmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to kubearmor/kubearmor-relay-server that referenced this issue Oct 18, 2023
@daemon1024
hotfix(relay): exclude G402 from gosec scans
f566d2c 
Include it back once we handle kubearmor/KubeArmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
9b59f03 
Ref kubearmor#1044

Remove the gosec include once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
654144a 
Ref kubearmor#1044

Remove the gosec exclude once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
7da422a 
Ref kubearmor#1044

Remove the gosec exclude once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
b0dba72 
Ref securego/gosec#1044 (comment)

Remove the gosec exclude once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
@rksharma95 rksharma95 mentioned this issue Nov 29, 2023
Merged
7 tasks
@daemon1024
Copy link
Member Author

daemon1024 commented Nov 30, 2023
edited
Loading

  • - Relay should be compatible with both TLS/Insecure KA Connection
  • - All Clients should be compatible with both TLS/Insecure Relay/KA Connections
  • - Keep TLSConfig False till we are sure that no one is going to use older Clients
  • - Clients aren't limited to kArmor but any client which connects to Relay/KubeArmor over gRPC

@rksharma95
Copy link
Collaborator

Overview of changes handled with linked PR:

Configurations

--tlsEnabled: "true/false"
--tlsCertPath: "valid path" , common certificate path where CA, Client/Server cert files are present.
--tlsCertProvider: "self/external", weather client/server certificate are provided (external) or need to be generated dynamically (self).

Certificate Generation:

  • A server or client would be able to create it's own certificate provided the access of the CA certificate and key.
  • At this point KubeArmor daemonset/server generates it's own certificates, the access to the CA will be provided by mounting the CA certificate using the k8s secret in a k8s env.
  • KubeArmor Relay and Karmor doesn't required to create their own certificates. the client certificates will be generated by either operator or helm template and will be stored in a k8s secret.

HL Design Overview

ka-secure-grpc

@daemon1024 daemon1024 reopened this Feb 21, 2024
@daemon1024
Copy link
Member Author

Reopening till we have client and relay integrations

@daemon1024 daemon1024 mentioned this issue Feb 29, 2024
Merged
7 tasks
@DelusionalOptimist
Copy link
Member

Future action items:

  • Look into using an external CA (cert manager) instead of managing it ourselves and storing it in a k8s secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rksharma95 rksharma95

Labels
None yet
Projects
v1.4.0 Release
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(gRPC): Implement m-TLS Support using self-signed certificate rksharma95/KubeArmor
3 participants
@daemon1024 @DelusionalOptimist @rksharma95