-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confusing name for CNP authentication type #24867
Comments
I've spent some time looking into this and thinking today, here's my summary: I agree that we should use a non- From what I can see, neither Wireguard nor IPSec transparent encryption modes in Cilium have a way to exclude specific flows, so I don't know if adding an The one thing I can think of if we're going to be changing things is that since So, auth:
mutual-type: spiffe or similar? |
One quick suggestion: "auth" is ambiguous between authentication and authorization. I'd spell it out more clearly (or at least use authn / authz as relevant). |
oh, that is a good point, I think we can still change that since these fields are not useful until 1.14 is released. |
Okay, coming back to this to try and close this out, I have two proposals:
I think that there are further followups about language in #25216 that will also be necessary so that we make clear in as many places as possible that having mTLS in Cilium Service Mesh requires both mutual auth and encryption of some form. Edit: Updated the change in the third option to be |
I agree on all three of these. On the third one, we could even spell out |
Okay, I'm proposing a lazy consensus period here of 48 hours, if there are no objections in that time, we'll proceed. |
Broadly I'm fine with the proposal above. Some thoughts/discussion points:
|
Thanks @joestringer! My thoughts here:
|
With that in mind, the final proposed changes here are:
So, final config for Helm values will look like this: # Configuration for types of authentication for Cilium
authentication:
# Configuration for Cilium's service-to-service mutual authentication using TLS handhakes.
# Note that this is not full mTLS support without also enabling encryption of some form.
# Current encryption options are Wireguard or IPSec, configured elsewhere in this file.
mutual:
# -- Port on the agent where mutual TLS handshakes between agents will be performed
port: 4250
# Settings for SPIRE
spire:
# snip, no changes to SPIRE settings. and NetworkPolicy: apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "rule1"
spec:
description: "mTLS-auth enabled L7 policy to restrict access to specific HTTP call"
endpointSelector:
matchLabels:
org: empire
class: deathstar
ingress:
- fromEndpoints:
- matchLabels:
org: empire
- auth:
- type: "mtls-spiffe"
+ authentication:
+ type: "spiffe"
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "POST"
path: "/v1/request-landing" |
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to make sure that the name and language for authentication are explicit. Relates: #24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to rename `auth` attribute in both Ingress and Egress rules to `authentication` for more clarity. Relates: #24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
I agree that the current name is confusing and we should not call anything mTLS if we are not ensuring encryption of the traffic end to end with a session-specific key. However, I would prefer an even more generic approach and separate policy intent from implementation and environment configuration. If we look at NetworkPolicy, the policy itself does not make any implications on how the policy is being enforced. Different strategies may be used to enforce depending on what environment Cilium is running in (overlay with encapsulated identities, direct routing with ipcache, ...). As far as CiliumNetworkPolicy is concerned, I would apply the same logic and require the user to declare intent whether mutual authentication is required or not and leave the implementation up to the configuration of Cilium. This may be SPIFFE-based with the mTLS datapath hook and the auth agent, it may be cert-manager / Vault based, or it may be zTunnel based in the future. This will also avoid a massive potential conflict in the future. What if a user defines multiple policies in a cluster with different authentication types? Would we be running SPIFFE, vault, and cert-manager all at once? How would we perform authentication if ingress and egress authentication types differ? I would therefore favor:
This keeps the policy simple and conflict-free. |
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to make sure that the name and language for authentication are explicit. Relates: cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to rename `auth` attribute in both Ingress and Egress rules to `authentication` for more clarity. Also, `type` attribute is renamed to `mode` with applicable values as disabled, required and test-always-fail. Relates: cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to make sure that the name and language for authentication are explicit. Relates: #24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to rename `auth` attribute in both Ingress and Egress rules to `authentication` for more clarity. Also, `type` attribute is renamed to `mode` with applicable values as disabled, required and test-always-fail. Relates: #24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
As #25761 is merged, I think we can close this issue out :) |
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
The main change is to update vendor, also some updates are done on related CNP: - Adjust the CR based on latest spec (e.g. authentication.mode instead of auth.type) - Remove hard-code namespace so that the tests can run in user provided namespace via CLI - Rename the policy name to match file name (like what we have with other policies) - Remove the podToEndpoints scenarios as this scenario is mainly for testing L7 related feature, for mutual auth, L3/L4 is good enough Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
The main change is to update vendor, also some updates are done on related CNP: - Adjust the CR based on latest spec (e.g. authentication.mode instead of auth.type) - Remove hard-code namespace so that the tests can run in user provided namespace via CLI - Rename the policy name to match file name (like what we have with other policies) - Remove the podToEndpoints scenarios as this scenario is mainly for testing L7 related feature, for mutual auth, L3/L4 is good enough Relates: cilium/cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to make sure that the name and language for authentication are explicit. Relates: cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to rename `auth` attribute in both Ingress and Egress rules to `authentication` for more clarity. Also, `type` attribute is renamed to `mode` with applicable values as disabled, required and test-always-fail. Relates: cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
CiliumNetworkPolicy can now define an authentication type thanks to #24263. However, the name of the supported type
mtls-spiffe
is confusing: the "mtls" part implies that the resulting connection will be encrypted (as in TLS), but at the moment this field is only used to specify that the handshake that performs authentication must take place. The intention is that the resulting identities will be passed to the kernel where transparent encryption will take place, but it's possible that the encryption part will be controlled separately. With the name as it is, we risk disappointing users who will assume that they have a CNP that defines a requirement for encryption as well as authentication.Also, if possible, it would be nice to decouple the authentication type specified in the CNP from the authentication method so that a CNP could specify that it requires mutual authentication, but doesn't care whether the identities are provided by SPIFFE, X.509 certs, or whatever.
My suggestion is that instead of
auth: mtls-spiffe
we useauth: mutual
if it can be independent of the authentication method, orauth: mutual-spiffe
if it has to be specifically SPIFFE.It would be great if the encryption requirement could also be specified in the CNP too, like this:
The text was updated successfully, but these errors were encountered: