sig-auth: TPM-based TLS bootstrap proposal #2022
Conversation
k8s-ci-robot
added
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
needs-ok-to-test
|
/assign @ericchiang |
|
/assign |
| ``` | ||
| csrData, err := csr.MakeNodeCSR(privateKey, nodeName) | ||
| // handle err | ||
| switch config.BootstrapCSRAttestation { |
There was a problem hiding this comment.
Lots of cloud based instance identity strategies will want to inject themselves here too. I'm skeptical of adding more hard coded hooks like this into the codebase. Maybe others can weigh in here?
| 1. Kubelet triggers AIK creation in the TPM | ||
| 1. Kubelet requests that TPM certifies (signs) ECC public key with AIK | ||
| 1. Kubelet loads TPM’s AIK cert into memory | ||
| 1. Kubelet builds a Certificate Signing Request (CSR) using TLS key pair |
There was a problem hiding this comment.
Just to clarify. "TLS key pair" is the same as the "ECC key pair" discussed earlier and no the AIK key pair, right?
There was a problem hiding this comment.
Yep, "TLS key pair" == "ECC key pair".
| Note: in this doc `privateKey` is always `crypto.PrivateKey`, not a PEM-encoded | ||
| byte blob. | ||
|
|
||
| ### Option 2: exec authentication plugin |
There was a problem hiding this comment.
This section isn't very fleshed out, but based on our conversations this requires the exec auth plugin being able to interact with opaque private keys stored on the TPM. Would it be easier and more general to add pkcs11 support to our clients for using private keys?
There was a problem hiding this comment.
In the case of exec plugin, TLS key would actually be created outside of the TPM and stored on disk. It would only be leaded in temporarily to do the signing (or "certification" in TPM lingo).
Keys created/stored in the TPM can't be exported so exec plugin wouldn't be able to pass it to kubelet.
Abstracting to PKCS11 is an interesting idea. I don't know if it would be easier from plugin author's perspective, but probably more universal. I'll think about this some more...
There was a problem hiding this comment.
@mikedanese had some thoughts on pkcs11.
Also, to clarify, this section isn't very fleshed out because exec plugin would do exactly what kubelet does currently plus changes described above. The code just happens to live in a different binary. Let me know if you'd like more detail here.
There was a problem hiding this comment.
pkcs11 is a huge spec covering way more then we need, requires dynamic loading of symbols from object files to use, and is just a painful API to work with IMO:
http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf
If I wanted to write a plugin that connected a key service to the kubelet TLS stack, I would much prefer a concise, designed to purpose API (like the kms.proto), vs implementing a pkcs11 backend.
|
ping |
Automatic merge from submit-queue (batch tested with PRs 63340, 63266). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. gcp: allow non-bootstrap kubeconfig **What this PR does / why we need it**: Needed for kubernetes/community#2022 This change lets us generate a non-bootstrap kubeconfig with exec plugin for authn. The plugin does TLS bootstrapping internally. **Special notes for your reviewer**: Defaults when no new env vars are set will behave same as before this change. `KUBELET_AUTH_TYPE` should never be `tls-auth` in practice, but leaving it there just in case. **Release note**: ```release-note NONE ```
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
This should be possible to build via exec auth plugin and some kind of (unimplemented) remote TLS handshake mechanism to abstract TPM interactions. |
Original docs shared with sig-auth and sig-node:
https://docs.google.com/document/d/12UgErB_46iHBOi0YEKbaFbEXv9E5O6XWQihwPkwB_7s/
https://docs.google.com/document/d/1Rrqyd9zXjbMsp05tywAxhUMTfaKypj7CHDG85DwXXbo/