From 3b7224714cd3953f9e54ad703a0e8f781e0adbe1 Mon Sep 17 00:00:00 2001 From: Jakub Krzywda Date: Wed, 6 May 2020 19:50:47 +0200 Subject: [PATCH] Modify motivation and fix toc --- .../README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/keps/sig-auth/NNNN-external-tls-certificate-authenticator/README.md b/keps/sig-auth/NNNN-external-tls-certificate-authenticator/README.md index fe1a2f926f86..cb9d33cf6592 100644 --- a/keps/sig-auth/NNNN-external-tls-certificate-authenticator/README.md +++ b/keps/sig-auth/NNNN-external-tls-certificate-authenticator/README.md @@ -99,6 +99,7 @@ tags, and then generate with `hack/update-toc.sh`. - [Sign response](#sign-response) - [Test Plan](#test-plan) - [Graduation Criteria](#graduation-criteria) + - [Alpha -> Beta Graduation](#alpha---beta-graduation) - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy) - [Version Skew Strategy](#version-skew-strategy) - [Implementation History](#implementation-history) @@ -107,7 +108,8 @@ tags, and then generate with `hack/update-toc.sh`. - [External signer vs existing authenticators using TLS certificates](#external-signer-vs-existing-authenticators-using-tls-certificates) - [Monolithic vs modular architecture](#monolithic-vs-modular-architecture) - [RPC vs exec](#rpc-vs-exec) - - [Stdin vs program argument](#stdin-vs-program-argument) + - [Independent external plugin configuration vs passing configuration parameters from kubectl/client-go](#independent-external-plugin-configuration-vs-passing-configuration-parameters-from-kubectlclient-go) + - [Stdin vs environment variables vs program arguments](#stdin-vs-environment-variables-vs-program-arguments) - [Infrastructure Needed (optional)](#infrastructure-needed-optional) @@ -173,10 +175,13 @@ demonstrate the interest in a KEP within the wider Kubernetes community. [experience reports]: https://github.com/golang/go/wiki/ExperienceReports --> -How would you react if your laptop was stolen? Are you worried about attackers performing a cold boot attack to extract your Kubernetes credentials? Do you already use a YubiKey for SSH and GPG, and wonder why you cannot use it with kubectl? If yes, then this enhancement is for you! -​ + +Are you worried about someone getting access to your Kubernetes credentials? +(For example, by extracting private keys from your laptop using malware or by performing a cold boot attack.) +Do you already use a YubiKey for SSH and GPG, and wonder why you cannot use it with kubectl? If yes, then this enhancement is for you! + Highly regulated environments, such as FinTech, require delegating all digital key operations to specialized [Hardware Security Modules (HSMs)](https://en.wikipedia.org/wiki/Hardware_security_module). Amongst others, HSMs increase security by storing digital keys without allow them to be extracted. Authentication, encryption and signing is performed via a standard such as the PKCS#11 on the HSM directly. In fact, many regulated environments already require developers and operators to store SSH and GPG keys on the [YubiKey](https://en.wikipedia.org/wiki/YubiKey), a popular HSM connected via USB. -​ + Unfortunately, as of today, kubectl lacks support for PKCS#11 (see [Issue #64783](https://github.com/kubernetes/kubernetes/issues/64783)). Indeed, kubectl requires direct access to the client key data, which can either be stored in the kubeconfig or provided via a [credentials plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins). Because of this, some security bloggers have even argued for [not using certificates](https://www.tremolosecurity.com/kubernetes-dont-use-certificates-for-authentication/) in kubectl at all. ### Goals