niggl
/
kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kubecon24/content/day2/09_safety_usability_auth.md

2.7 KiB
Raw Blame History

title weight tags
Safety or usability: Why not both? Towards referential auth in k8s 9
platform
security

A talk by Google and Microsoft with the premise of bether auth in k8s.

Baselines

  • Most access controllers have read access to all secrets -> They are not really designed for keeping these secrets
  • Result: CVEs
  • Example: Just use ingress, nginx, put in some lua code in the config and voila: Service account token
  • Fix: No more fun

Basic solutions

  • Seperate Control (the controller) from data (the ingress)
  • Namespace limited ingress

Current state of cross namespace stuff

  • Why: Reference tls cert for gateway api in the cert team'snamespace
  • Why: Move all ingress configs to one namespace
  • Classic Solution: Annotations in contour that references a namespace that contains all certs (rewrites secret to certs/secret)
  • Gateway Solution:
    • Gateway TLS secret ref includes a namespace
    • ReferenceGrant pretty mutch allows referencing from X (Gatway) to Y (Secret)
  • Limits:
    • Has to be implemented via controllers
    • The controllers still have readall - they just check if they are supposed to do this

Goals

Global

  • Grant access to controller to only ressources relevant for them (using references and maybe class segmentation)
  • Allow for safe cross namespace references
  • Make it easy for api devs to adopt it

Personas

  • Alex API author
  • Kai controller author
  • Rohan Resource owner

What our stakeholders want

  • Alex: Define relationships via ReferencePatterns
  • Kai: Specify controller identity (Serviceaccount), define relationship API
  • Rohan: Define cross namespace references (aka ressource grants that allow access to their ressources)

Result of the paper

Architecture

  • ReferencePattern: Where do i find the references -> example: GatewayClass in the gateway API
  • ReferenceConsumer: Who (IOdentity) has access under which conditions?
  • ReferenceGrant: Allow specific references

POC

  • Minimum access: You only get access if the grant is there AND the reference actually exists
  • Their basic implementation works with the kube api

Open questions

  • Naming
  • Make people adopt this
  • What about namespace-scoped ReferenceConsumer
  • Is there a need of RBAC verb support (not only read access)

Alternative

  • Idea: Just extend RBAC Roles with a selector (match labels, etc)
  • Problems:
    • Requires changes to kubernetes core auth
    • Everything bus list and watch is a pain
    • How do you handle AND vs OR selection
    • Field selectors: They exist
  • Benefits: Simple controller implementation

Meanwhile

  • Prefer tools that support isolatiobn between controller and dataplane
  • Disable all non-needed features -> Especially scripting