New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Managed ca-certs #63726
Comments
/cc @mikedanese |
/etc/ssl is only correct for debian :( centos/fedora are /etc/pki |
Reacting to just the thought of a "managed root CA bundle". The CA certs one deployment wants to trust vs another deployment will vary. By shipping a root CA bundle, we’d end up requiring someone to curate and manage the trusted Root CAs.
When we add apps deployed into the cluster, this gets worse with one App wanting to have a different trusted cert set from underlying K8S cluster.
That can quickly degenerate to an empty set of Root CAs. Just an initial reaction. |
@kksriram I was thinking more about the general case, where an application needs the ability to connect to an arbitrary set of servers on the public internet. It may be the case that this is actually a relatively small use case, in which case the discussion of cluster-level config maps & automounting doesn't make sense. Perhaps we don't need to make any changes, and just promote ca-certs through namespace-level config maps as a best practice? |
Since we want these to be global, can we consider a dedicated type in the certificates.k8s.io API Group? Strawman: In certificates.k8s.io: type CertificateBundle struct {
// Certificates is an array of DER encoded certificates that make up the bundle.
Certificates [][]byte
} Then create a VolumeProjection: type CertificateBundleProjection string {
Path string
CertificateBundles []string
} To construct the volume, kubelet PEM encodes all certificates in all referenced certificate bundles and coalesces them into a single file at
|
@mikedanese I like the overall idea. But why group certificates into bundles, rather than having "certificate" top level resources? It seems like that would make managing the certs easier, though I suppose it makes it more work to create the projection. Maybe a label selector over the cluster certs? Also, we still need to consider whether this is just a special case of cluster-scoped configmaps... |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@tallclair isn't it a good idea to add your internal company's CA certificate into underlying host CA certificate bundle file and mount it into each POD? It would allow you to get public CA updates with underlying host OS update, and you can easily manage internal company's CA (except of you need to reboot all cluster hosts to change it). Having Public CA bundle + internal CA certs in configmaps would lead to never update Public CA bundle. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Any update on this ? I need my pods to trust a self-signed certificate for our dev environments. I tried to add the ca-cert to my pod and run update-ca-certificates but I can't make it work. Any help would be appreciated :)
In the Node's log I got these errors when calling an https request to a service in the same namespace :
|
@mleneveut which distro is based your image? Have you checked its location? https://blog.confirm.ch/adding-a-new-trusted-certificate-authority/ |
@fabianotessarolo It' ubuntu 16. I already tried to put the cert in /usr/local/shared/ca-certificates and run the update-ca-certificates, but my trouble was to do this before the container's main process (nodejs or dotnet run) starts. I ended up to put the .crt file in /usr/shared/ca-certificates directory of every Kubernetes node, copy it to /usr/local/shared/ca-certificates with a volumeMount and modify the ENTRYPOINT of my Dockerfile with a CMD :
It's not ideal, but working. If we could put the .crt file in the CA cert of Kubernetes and automatically inherits it in the pods, it would be better.
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@neolit123: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lifecycle frozen |
/cc costinm Istio ( in particular multi-cluster and SDS provisioning ) would also benefit of this. |
Just putting a ping in here. We're scratching our head on how to go about doing this sanely. We have a few ideas in mind, from doing full path validation to subscribing to different bundles / lists. There's quite a few ways to skin that particular cat and all of them seem like 🐰 🕳️ s. |
We don't have any updates or progress on this, but would welcome a KEP if anyone is interested in picking it up. |
It would be useful to consider if we want a specialized API (mounted ca certs) vs a more generic case like ClusterConfigMap. If we do go for the specialized API, we probably need to careful construct it to not allow "abusing" the API to mount all sorts of other things in the API, in which case we just end up with a poor form of ClusterConfigMap. Because if you we just build an API to mount generic files into a pod automatically but and just call it |
From the short conversations I've had with colleagues I believe we're seeing a specialized API more than a generic one. I'm not sure a Mildly related, this article explores the discrepancies across distros of CA trust-stores and their location and behaviour. The article doesn't really touch on anything that would be directly in scope for a CA-bundle-merge-o-tron-mount-a-mabob API, but it depicts well the reality a end-user trying to mount a trust-store inside a container would have to contend with. Trying to put the words "quality of life" and CA trust stores in the same sentence is sort of hilarious, but this is a good spot of test cases to see if the idea holds up. @tallclair I'll see if I can get some bandwidth when I come back from vacation to put together a KEP. This is an interesting 🐰 🕳️ . |
I agree that we should consider a generic ClusterConfigMap approach but we should also think about what we would gain from bundle specific semantics. A couple things that come to mind:
kubernetes/staging/src/k8s.io/api/admissionregistration/v1/types.go Lines 526 to 529 in b19de7f
|
I am planing to work on this trust distribution issue and compiled a draft of design options and consideration. It is still in early stage so I would like to involve more people here to give their brilliant idea and help analyze pros&cons of options. Since it would be too long to paste the entire content here, I put them in a Google Doc at: |
I would like to add my use case: Running an image as non root makes it quite complicated to update a trust store with a certificate which is deployment specific; Like for a proxy, we generate the proxy ca with the deployment and would need to tell the deployment to trust that certificate. Other tools like cilium (i believe) make this easier as you have that root ca available earlier, so you could bake it into an image but thats far from convenient. It is also not far away, to have network policies allowing you fqdn with tls which would solve plenty of problems. We also spend quite a lot of time of thinkering with updating the trust store of the underlying os, java and python. |
Just an FYI openshift can achieve this https://docs.openshift.com/container-platform/4.6/networking/configuring-a-custom-pki.html |
The recently-accepted ClusterTrustBundle KEP will provide this mechanism. |
/kind feature
What happened:
A common requirement of container base images is to provide ca-certs. For example, many of our addons are based on alpine purely to install the
ca-certificates
package.I believe this is an anti-pattern:
A related problem is how to mount the Kubernetes root CA into pods. See kubernetes/community#1973 for a discussion.
What you expected to happen:
There is an opportunity for Kubernetes to provide some value-add here with support for cluster-managed root CA bundles. This is already feasible to some extent by putting the
ca-certificates.crt
bundle in a config map and mounting it into containers at/etc/ssl/
, but there are some shortcomings to this approach:An ideal solution would:
I'm not sure whether a new resource type (or CRD) is necessary here, or if ConfigMaps (either via x-namespace references or a new ClusterConfigMap) would be sufficient.
WDYT?
/sig auth
The text was updated successfully, but these errors were encountered: