-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use per-node tokens for agent-server websocket authentication #2501
Comments
#2504 implements In addition, this also needs plugin changes for provisioning support. |
#2504 is now merged, and provides agent/server support for per-node tokens, including CLI commands to manage them. I'm keeping this issue open to track the Kontena plugin changes to use node tokens for provisioning, instead of the grid tokens. |
Switching over to node tokens really also needs a fix for #2502 (separate weave shared secret) first.. currently each node still requires the As a (hacky) workaround, you could now provision the nodes with valid |
The current agent-server websocket RPC mechanism uses a grid-level shared secret token for authentication, together with the agent-provided Docker ID for identifying nodes. This is useful for simplifying autoscaling deployments, allowing any number of grid nodes to be provisioned using a common cloud-config. However, this is bad from a security standpoint, because the compromise of any node will leak the shared grid token, which is also very difficult to replace (#1973), requiring all nodes to be re-provisioned.
The agent provisioning and agent-server websocket connections should be changed to use predetermined node IDs and per-node tokens. Instead of the server dynamically creating new host nodes as agents connect, the host nodes should be created beforehand, using a user-supplied name and a server-generated token.
The agents would then be provisioned with the following configuration:
KONTENA_URI=wss://...
KONTENA_NODE_ID=grid/node-name
KONTENA_NODE_TOKEN=<generated>
Removing a node would then invalidate the node token, preventing the agent from reconnecting. Assuming further support for weave secret rotation, the grid token could then be replaced without affecting the remaining nodes.
With per-node authentication tokens, the agent-server RPC protocol should also be improved to remove the current use of explicit
node_id
RPC parameters, strictly limiting each agent to only have access to theGridServiceInstance
andContainer
objects associated with the authenticatedHostNode
. This would mean that grid secrets would only be accessible by the specific nodes that the service is deployed to.The server must still retain support for the legacy grid token based RPC websocket authentication, both for existing host nodes, as well as simplified autoscaling deployments using a fixed cloud-config. However, if all host nodes are deployed using node tokens, and given further weave secret related improvements, this would serve to avoid the potential #1973 security headaches.
The text was updated successfully, but these errors were encountered: