85 lines
2.7 KiB
Markdown
85 lines
2.7 KiB
Markdown
---
|
|
title: "Safety or usability: Why not both? Towards referential auth in k8s"
|
|
weight: 9
|
|
---
|
|
|
|
A talk by Google and Microsoft with the premise of bether auth in k8s.
|
|
|
|
## Baselines
|
|
|
|
* Most access controllers have read access to all secrets -> They are not really designed for keeping these secrets
|
|
* Result: CVEs
|
|
* Example: Just use ingress, nginx, put in some lua code in the config and voila: Service account token
|
|
* Fix: No more fun
|
|
|
|
## Basic solutions
|
|
|
|
* Seperate Control (the controller) from data (the ingress)
|
|
* Namespace limited ingress
|
|
|
|
## Current state of cross namespace stuff
|
|
|
|
* Why: Reference tls cert for gateway api in the cert team'snamespace
|
|
* Why: Move all ingress configs to one namespace
|
|
* Classic Solution: Annotations in contour that references a namespace that contains all certs (rewrites secret to certs/secret)
|
|
* Gateway Solution:
|
|
* Gateway TLS secret ref includes a namespace
|
|
* ReferenceGrant pretty mutch allows referencing from X (Gatway) to Y (Secret)
|
|
* Limits:
|
|
* Has to be implemented via controllers
|
|
* The controllers still have readall - they just check if they are supposed to do this
|
|
|
|
## Goals
|
|
|
|
### Global
|
|
|
|
* Grant access to controller to only ressources relevant for them (using references and maybe class segmentation)
|
|
* Allow for safe cross namespace references
|
|
* Make it easy for api devs to adopt it
|
|
|
|
### Personas
|
|
|
|
* Alex API author
|
|
* Kai controller author
|
|
* Rohan Resource owner
|
|
|
|
### What our stakeholders want
|
|
|
|
* Alex: Define relationships via ReferencePatterns
|
|
* Kai: Specify controller identity (Serviceaccount), define relationship API
|
|
* Rohan: Define cross namespace references (aka ressource grants that allow access to their ressources)
|
|
|
|
## Result of the paper
|
|
|
|
### Architecture
|
|
|
|
* ReferencePattern: Where do i find the references -> example: GatewayClass in the gateway API
|
|
* ReferenceConsumer: Who (IOdentity) has access under which conditions?
|
|
* ReferenceGrant: Allow specific references
|
|
|
|
### POC
|
|
|
|
* Minimum access: You only get access if the grant is there AND the reference actually exists
|
|
* Their basic implementation works with the kube api
|
|
|
|
### Open questions
|
|
|
|
* Naming
|
|
* Make people adopt this
|
|
* What about namespace-scoped ReferenceConsumer
|
|
* Is there a need of RBAC verb support (not only read access)
|
|
|
|
## Alternative
|
|
|
|
* Idea: Just extend RBAC Roles with a selector (match labels, etc)
|
|
* Problems:
|
|
* Requires changes to kubernetes core auth
|
|
* Everything bus list and watch is a pain
|
|
* How do you handle AND vs OR selection
|
|
* Field selectors: They exist
|
|
* Benefits: Simple controller implementation
|
|
|
|
## Meanwhile
|
|
|
|
* Prefer tools that support isolatiobn between controller and dataplane
|
|
* Disable all non-needed features -> Especially scripting |