Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS auth with image registries #1143

Closed
ungureanuvladvictor opened this issue May 9, 2019 · 7 comments · Fixed by #1144
Closed

TLS auth with image registries #1143

ungureanuvladvictor opened this issue May 9, 2019 · 7 comments · Fixed by #1144
Labels
Milestone

Comments

@ungureanuvladvictor
Copy link
Contributor

@ungureanuvladvictor ungureanuvladvictor commented May 9, 2019

When using Docker we had https://docs.docker.com/engine/security/certificates/ but now when we moved to containerd/cri we deployed an nginx proxy to do the TLS off-loading.

Any plans to support TLS auth with image registries? I took a stab at it via ungureanuvladvictor@c15fc12 just to see how it would look like.

@Random-Liu

This comment has been minimized.

Copy link
Member

@Random-Liu Random-Liu commented May 9, 2019

@ungureanuvladvictor That is very welcome! Feel free to submit your change. We'll review it. :)

Your current change has some little problems, e.g. we should use the mirrored host to index certificates, instead of the host in image reference; we may want to put CA things into its own config instead of AuthConfig.

However, we can carry on that discussion in your change. I think we do want to support the TLS connection with image registry.

@ungureanuvladvictor

This comment has been minimized.

Copy link
Contributor Author

@ungureanuvladvictor ungureanuvladvictor commented May 9, 2019

@Random-Liu thx for the ping back. I will open the PR as is and we should continue the discussion there. This is my 1st time diving into cri code so would be fun!

@mikebrow

This comment has been minimized.

Copy link
Member

@mikebrow mikebrow commented May 10, 2019

ok.. Interesting. Has there been discussion for how will this mesh with the current kubernetes secrets pattern? https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Cheers, Mike

@ungureanuvladvictor

This comment has been minimized.

Copy link
Contributor Author

@ungureanuvladvictor ungureanuvladvictor commented May 10, 2019

I am aware of this but did not put a lot of thought into it. We currently run a couple of static pods which also includes the apiserver so bootstrapping won't really work in my case but happy to chat.

@Random-Liu

This comment has been minimized.

Copy link
Member

@Random-Liu Random-Liu commented May 14, 2019

ok.. Interesting. Has there been discussion for how will this mesh with the current kubernetes secrets pattern? https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

I think this proposal is about TLS between container runtime and container image registry, not the authentication to the registry.

@mikebrow

This comment has been minimized.

Copy link
Member

@mikebrow mikebrow commented May 14, 2019

ok.. Interesting. Has there been discussion for how will this mesh with the current kubernetes secrets pattern? https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

I think this proposal is about TLS between container runtime and container image registry, not the authentication to the registry.

ok.. some use TLS for mutual authentication. To tell the truth I'm not convinced it isn't for doing both TLS auth and encrypting the transport between the two? Then he threw in the bootstrap thing and I thought ok maybe it's for tls based image pulls for master node containers. Maybe we need a chat :-)

@ungureanuvladvictor

This comment has been minimized.

Copy link
Contributor Author

@ungureanuvladvictor ungureanuvladvictor commented May 16, 2019

In my case I have a registry that requires TLS mutual authentication which needs the client to present a certificate when it establishes the connection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.