-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Spiffe Integration #16626
RFC: Spiffe Integration #16626
Conversation
@mauriciovasquezbernal Go mod issues need fixing:
|
2951fb6
to
16fc68a
Compare
Looks like generated deepcopy functions do not match the change to label regexes. However, we should expand the definition of the regexes to capture the allowed spiffe labels as well, maybe using the OR syntax so that non-spiffe labels would still be validated using the old rergex?
|
I'm switching back to draft until the basic tests have been fixed. Feel free to mark as ready again once they are fixed or if you think it doesn't make sense to fix them first. |
d83ade4
to
74d8c2c
Compare
Kubernetes 1.21 automatically adds a new label to all namespaces when the NamespaceDefaultLabelName feature gate is enabled. (https://kubernetes.io/docs/concepts/overview/_print/#automatic-labelling) This commit adds an additional entry for all well-known identities adding that label. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The spiffe package contains the logic needed to connect and get SVIDs1 updates from the spire agent. TODO: This package uses a spire modified version. It'll have to be updated once we have the implement such API in spire. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
The spire-server needs to have a well-known identity to avoid an egg-chicken problem when creating its endpoint. This is not needed for the spire-agent because it shares the host network namespace. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
This package is used to validate spiffe IDs. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
Update the label keys validation logic to consider SPIFFE IDs. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
Add option to enable spiffe and the socket path for spiffe agent privileged API. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
This commit uses the spiffe IDs of the endpoint's pod to create a set of identity labels. Signed-off-by: Mauricio Vásquez <mauricio@accuknox.com> Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
74d8c2c
to
5a0c8a4
Compare
Yes 👍 |
If we contrast this with the way that Cilium integrates objects from other external systems like Kubernetes, I would expect would be to have a dedicated key like
Here's a link to some kubernetes constructs being used in policy: https://docs.cilium.io/en/latest/policy/kubernetes/#multi-cluster
Yes, at least initially I think this makes sense. |
@joestringer in this case perhaps would be better as:
Just to avoid duplicating
|
@joestringer I think it doesn't work because it's possible for an endpoint to have multiple spiffe-based labels. For instance, I don't think we are able to define the following policy using that approach.
|
Hi! I have been working with the AccuKnox folks (@nyrahul @navarrothiago @rscampos) on this PR and they are going to take over the task. I'll still be around to reply any questions and participate in the discussions. |
@mauriciovasquezbernal are you saying that a single workload may have multiple SPIFFE IDs associated and you want to match that the peer workload has both SPIFFE IDs to be able to allow the traffic? The example you provided is a bit confusing because it seems to specify SPIFFE IDs with OS images, but presumably a single workload can only have one OS image. |
I think even if a workload/endpoint may have multiple SPIFFE IDs, I don't see how these multiple SPIFFE IDs could be used in the same rule since the connection/session will use/have just a single associated SPIFFE ID. |
👍 Then if you're trying to denote "allow SPIFFE ID X or SPIFFE ID Y", I think it could be done through two separate rules:
|
We discussed this during the community meeting today. I had previously raised the question above whether it's possible to associate multiple SPIFFE IDs with a single endpoint and at least above in the PR I didn't get a clear answer. If this is the case, then the only way to encode this into labels would be to put the entire spiffe id into the key. The discussion during the meeting implied that multiple SPIFFE IDs may be associated with a single endpoint, but is there an upstream SPIFFE reference for this so we can better understand that model? Specifically something like a concepts document that describes the relationship between SPIFFE IDs and endpoints/connections? |
@joestringer here is https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/ |
I couldn't see an explicit declaration of how many SPIFFE IDs may be associated with a single workload in the above concepts page. Maybe "A SPIFFE ID is a string that uniquely and specifically identifies a workload. " is supposed to imply the relationship but it's quite vague. However, upon further digging into the SPIFFE Workload API, I did find the underlying gRPC protocol definition: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md#521-fetchx509svid
The "one for each identity granted to the client" seems to imply that a single client (by which I assume this is a SPIFFE workload, equivalent to pod in the model here) can have multiple identities. The section on Default Identity seems to go further and describe the notion that it's up to the workload to understand the availability of multiple identities and how it should use those identities, or otherwise default to using the first one that is provided from the SPIFFE workload API: So yes, it seems that multiple SPIFFE IDs can be associated with a single workload. |
I have another question: Let's say that we set up the spiffe identities using this system. We associate ids with workloads by encoding the spiffe ID as a key for labels associated with the endpoint. What happens if someone then manually creates a new pod with labels including a spiffe ID, something like the below?
I'm assuming that application developers in a cluster will likely have the ability to create such a pod, and at this time it would not have any interaction with SPIFFE (or if it does, SPIFFE is only adding another SPIFFE ID to the labels of the pod in addition to the one that the application developer manually added to the labels). |
Hello @joestringer , thank you for the observations. All good points. I did some validation on this. Please check the slides for more information. To summarize: |
I've requested access to the doc. I think in terms of the label source, that part makes sense - then based on the source we can know that the SPIFFE ID comes from a legitimate SPIFFE server. What I'm still missing is how we ensure that the label match in the CiliumNetworkPolicy only matches on the SPIFFE-sourced labels, and not on k8s-sourced labels. |
Actually, on second thought for:
This doesn't change the limits on the LabelSelector in the policy. If SPIFFE IDs are longer, will it still be possible to match on them using policy? |
@joestringer Part 1. Use keyword spiffe as source in CNP: In this way, the policy is going to match just labels with
Part 2. Label manually created by the user:
Part 3. CNP label validation: Any feedback is welcome, thank you for highlighting these points :D |
👍 Part 1 / 2 makes sense. I think for Part 3 you've addressed technically how the validation and internal storage of the SPIFFE IDs would work though I'd probably have to take a closer look to reason about how it's actually working against different inputs. I didn't yet quite understand how the policy can match on bigger SPIFFE IDs though, if you place a long (say ~100 character) SPIFFE match in the policy under |
hey @joestringer, thank you for the answer |
Hey @joestringer and folks, I'm going to send another PR from my Github account since the actual PR was sent by @mauriciovasquezbernal. Thank you @mauriciovasquezbernal for all the work. I'm going to maintain the Mauricio's description and commit the new changes made on Spiffe ID label. Could you folks please close this one? I'll refer this #16626 in the new PR. cc @mauriciovasquezbernal @nyrahul @navarrothiago Tks :) |
What is this?
This is a request for comments PR regarding the Cilium-SPIFFE integration that has been proposed in this design document. This PR covers the "Identity Generation Hardening" part of such proposal. We already have some prototypes of the "Upgrading connections to mTLS" part but we prefer start discussing only the former one to keep it more scoped.
How to test?
If you want to test it by yourself you can follow these steps. Otherwise you can watch this recorded demo.
--enable-spiffe
flag to cilium-agentTODO
ref #4016
cc @nyrahul @jrajahalme @jrfastab @navarrothiago @rscampos