2.7 KiB
2.7 KiB
title | weight | tags | ||
---|---|---|---|---|
Safety or usability: Why not both? Towards referential auth in k8s | 9 |
|
A talk by Google and Microsoft with the premise of bether auth in k8s.
Baselines
- Most access controllers have read access to all secrets -> They are not really designed for keeping these secrets
- Result: CVEs
- Example: Just use ingress, nginx, put in some lua code in the config and voila: Service account token
- Fix: No more fun
Basic solutions
- Seperate Control (the controller) from data (the ingress)
- Namespace limited ingress
Current state of cross namespace stuff
- Why: Reference tls cert for gateway api in the cert team'snamespace
- Why: Move all ingress configs to one namespace
- Classic Solution: Annotations in contour that references a namespace that contains all certs (rewrites secret to certs/secret)
- Gateway Solution:
- Gateway TLS secret ref includes a namespace
- ReferenceGrant pretty mutch allows referencing from X (Gatway) to Y (Secret)
- Limits:
- Has to be implemented via controllers
- The controllers still have readall - they just check if they are supposed to do this
Goals
Global
- Grant access to controller to only ressources relevant for them (using references and maybe class segmentation)
- Allow for safe cross namespace references
- Make it easy for api devs to adopt it
Personas
- Alex API author
- Kai controller author
- Rohan Resource owner
What our stakeholders want
- Alex: Define relationships via ReferencePatterns
- Kai: Specify controller identity (Serviceaccount), define relationship API
- Rohan: Define cross namespace references (aka ressource grants that allow access to their ressources)
Result of the paper
Architecture
- ReferencePattern: Where do i find the references -> example: GatewayClass in the gateway API
- ReferenceConsumer: Who (IOdentity) has access under which conditions?
- ReferenceGrant: Allow specific references
POC
- Minimum access: You only get access if the grant is there AND the reference actually exists
- Their basic implementation works with the kube api
Open questions
- Naming
- Make people adopt this
- What about namespace-scoped ReferenceConsumer
- Is there a need of RBAC verb support (not only read access)
Alternative
- Idea: Just extend RBAC Roles with a selector (match labels, etc)
- Problems:
- Requires changes to kubernetes core auth
- Everything bus list and watch is a pain
- How do you handle AND vs OR selection
- Field selectors: They exist
- Benefits: Simple controller implementation
Meanwhile
- Prefer tools that support isolatiobn between controller and dataplane
- Disable all non-needed features -> Especially scripting