-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubelet TLS Bootstrap #43
Comments
cc @kubernetes/sig-node FYI about this feature for Kubelet TLS bootstrap |
I think we should consider this pre-alpha until we complete:
Is anyone currently working on this? |
@mikedanese @gtank should be working on all of those things to get the feature done done. |
Current status of what needs to be done:
|
Status update: PR for kubelet TLS bootstrap is up: kubernetes/kubernetes#30094 |
Kubectl support tracked in kubernetes/kubernetes#30163 with some basic support prs out |
The scope of kubernetes/kubernetes#20439 was around obtaining TLS serving certs. The kubelet's use of this API should probably be limited to obtaining serving certs initially. Since the kubelet already needs API credentials to submit the initial CSR, obtaining client credentials this way doesn't buy us a whole lot from a bootstrapping perspective. |
It allows us to bootstrap individual kubelet identities from a single cluster wide shared secret (bearer token for a kubelet-bootstrap user authorized to submit CSRs). |
If the goal is to identify kubelets individually so we can partition node permissions (which I am in favor of), multiple identities obtained from a single shared credential aren't meaningful from an auth perspective. If we just want to identify requests from different nodes for debugging purposes, we can do that with user-agent strings (the same way controllers set up their own client user-agent string) |
I'm not convinced of this. In fact I think this would work equally well if the CSR API was open (didn't require auth[n/z]). The shared secret is a mechanism that prevents a specific dos attack where a user could spam the CSR API with CSRs that would not be approved. @gtank can you weigh in on this? |
cc @kubernetes/sig-cluster-lifecycle |
@mikedanese @liggitt can we please move the technical discussion about the design of the system to the https://groups.google.com/forum/#!forum/kubernetes-sig-node mailing list. |
@liggitt @mikedanese The nodes derive individual identities from the shared token. The token only exists to 1) filter requests meant for other clusters and 2) allow us restrict the nodes (via groups or ABAC) from accessing the rest of the API before they have client certs. |
@philips Is this on target for the 1.4 feature freeze this Friday (Aug 19)? |
@pwittrock: based on kubernetes/kubernetes#30094 this feature suddenly started being redesigned in flight after 5 months of work... Any suggestions on how to avoid the major redesign three days before feature freeze are welcome |
Occasionally we will realize gaps in designed features as they are implemented. We definitely need a process that handles that - rushing features to delivery without all the proper technical due diligence being done is going to cause more issues than occasionally features missing a release. I think everyone involved is trying to find the best and most secure option for the platform here. |
@smarterclayton based on PR discussions it would be great if @liggitt and @deads2k could help with parts of the feature, wdyt? any coding / review help is appreciated to address raised concerns. |
I believe both of them had been representing sig-auth on the security aspects here - I had not yet seen an update on the remaining issues though. That's probably appropriate on the linked issue. |
@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests @kubernetes/sig-node-feature-requests -- This feature was removed from the previous milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12. If so, please ensure that this issue is up-to-date with ALL of the following information:
Set the following:
Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.In addition, please be aware of the following relevant deadlines:
Please make sure all PRs for features have relevant release notes included as well. Happy shipping! |
@kubernetes/sig-auth-feature-requests can we graduate this to stable in v1.12? |
@mikedanese @kubernetes/sig-auth-feature-requests @kubernetes/sig-auth-misc -- |
I'm ok with this going to GA as long as the certificates API remains beta. |
Can a GA feature depend on a beta API? What does that mean, support-wise? |
I've added this to the 1.12 sheet as stable, but let me know if we need to walk that back. |
Why not graduate the as-is API to GA and do a v2 in case we need additional features or whatever? |
We discussed this in the sig-auth meeting on 8/8, and agreed the bootstrap feature can be promoted to stable, but not the CSR API yet. That means the externally-facing portions of the bootstrap mechanism (bootstrap kubeconfig, etc) will continue to be supported. |
Hey there! @philips I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it? |
Zach- I filed the feature initially but other folks took over the work. So,
I won't be able to help with the docs. Sorry.
…On Mon, Aug 20, 2018 at 2:25 PM Zach Arnold ***@***.***> wrote:
Hey there! @philips <https://github.com/philips> I'm the wrangler for the
Docs this release. Is there any chance I could have you open up a docs PR
against the release-1.12 branch as a placeholder? That gives us more
confidence in the feature shipping in this release and gives me something
to work with when we start doing reviews/edits. Thanks! If this feature
does not require docs, could you please update the features tracking
spreadsheet to reflect it?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AACDCOhjX6sz-ErOXML9lrqSGnd4eHTUks5uSykwgaJpZM4JS7ez>
.
|
Ok, thanks for letting me know. Whom shall I ask for this data then in your
opinion?
On Mon, Aug 20, 2018 at 2:26 PM Brandon Philips <notifications@github.com>
wrote:
… Zach- I filed the feature initially but other folks took over the work. So,
I won't be able to help with the docs. Sorry.
On Mon, Aug 20, 2018 at 2:25 PM Zach Arnold ***@***.***>
wrote:
> Hey there! @philips <https://github.com/philips> I'm the wrangler for
the
> Docs this release. Is there any chance I could have you open up a docs PR
> against the release-1.12 branch as a placeholder? That gives us more
> confidence in the feature shipping in this release and gives me something
> to work with when we start doing reviews/edits. Thanks! If this feature
> does not require docs, could you please update the features tracking
> spreadsheet to reflect it?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#43 (comment)
>,
> or mute the thread
> <
https://github.com/notifications/unsubscribe-auth/AACDCOhjX6sz-ErOXML9lrqSGnd4eHTUks5uSykwgaJpZM4JS7ez
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AE81SF57z1mjfKYZ9QPBQVJHzoItTVRYks5uSymggaJpZM4JS7ez>
.
|
@zparnold please use the assignee of the feature issue rather than the original creator (which is immutable) of the issue for this kind of stuff. I can do this. |
Ok, thanks! Learning the ropes around here. :)
…On Mon, Aug 20, 2018 at 2:37 PM Mike Danese ***@***.***> wrote:
@zparnold <https://github.com/zparnold> please use the assignee of the
feature issue rather than the original creator (which is immutable) of the
issue for this kind of stuff. I can do this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AE81SHodJlKFUOZaBgWmnDEiCYq5HUr6ks5uSywMgaJpZM4JS7ez>
.
|
@mikedanese Will you be able to handle docs? |
@mikedanese -- |
GA docs PR here: |
It looks like this has graduated to GA so I'm going to clean up and close the issue. nice job everyone! /close |
@kacole2: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add proposal for Route Admission Policy
Feature Description
The text was updated successfully, but these errors were encountered: