Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

control-plane: sds: support k8s environment #201

Merged
merged 1 commit into from
Sep 9, 2019
Merged

control-plane: sds: support k8s environment #201

merged 1 commit into from
Sep 9, 2019

Conversation

yskopets
Copy link
Contributor

@yskopets yskopets commented Sep 9, 2019
edited

changes:

  • on k8s, generated Envoy SDS config must include CallCredentials in order to pass k8s token to SDS server
  • grant tokenreviews permission to kuma-control-plane service account (to be able to make calls to Token Review API)
  • use non-caching Client inside k8s SecretStore implementation (caching logic that is part of kubernetes/controller-runtime fetches all Secrets in the cluster which we cannot allow from security perspective)
  • explicitly set TLS cert for SDS server when running make run/k8s (since we only auto-generate TLS cert in universal case)

@yskopets yskopets added this to the 0.1 milestone Sep 9, 2019
@yskopets yskopets added the mtls label Sep 9, 2019
jakubdyszkiewicz
jakubdyszkiewicz requested changes Sep 9, 2019
View reviewed changes
pkg/sds/auth/k8s/authenticator.go Outdated
@@ -41,6 +41,9 @@ func (k *kubeAuthenticator) Authenticate(ctx context.Context, proxyId core_xds.P
}

func (k *kubeAuthenticator) reviewToken(ctx context.Context, proxyId core_xds.ProxyId, credential sds_auth.Credential) error {
if credential == "" {
return errors.Errorf("authentication failed: k8s token is missing")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: errors.New is enough

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

pkg/xds/envoy/envoy_test.go Outdated
}

// when
resource := envoy.CreateInboundListener(ctx, "inbound:192.168.0.1:8080", "192.168.0.1", 8080, "localhost:8080", true)
DescribeTable("should inject Kuma into a Pod",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Message copy paste?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@yskopets yskopets merged commit 2594792 into master Sep 9, 2019
@yskopets yskopets deleted the feature/sds-on-k8s branch September 10, 2019 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubdyszkiewicz jakubdyszkiewicz jakubdyszkiewicz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@yskopets @jakubdyszkiewicz