certificates: Envoy xDS Certs should have a ServiceIdentity in the CN; not ServiceAccount #3186

draychev · 2021-04-16T17:37:08Z

From a comment/proposal @shashankram made on #3170 (review):

*Directly retrieve the ServiceIdentity from the proxy XDS cert.

This issue is to treat the Envoi xDS certificate's CN as a ServiceIdentity, not specifically Kubernetes Service Account. In reality the xDS Cert CN would still be derived from a Kubernetes Service Account, but this is merely an implementation detail.

draychev · 2021-04-22T21:10:59Z

Another thought - we may need to create EndpointIdentity and have that be different that ServiceIdentity

So xDS certificate --> EndpointIdentity (or ProxyIdentity)
Service certificate --> ServiceIdentity

shashankram · 2021-06-24T16:10:03Z

Another thought - we may need to create EndpointIdentity and have that be different that ServiceIdentity

So xDS certificate --> EndpointIdentity (or ProxyIdentity)
Service certificate --> ServiceIdentity

As it stands today, both XDS cert and workload certs are based on service-account.namespace. The only additional info in the XDS cert is the proxy metadata (Proxy UUID, Kind).

I am inclined to keep this simple:

XDS cert: proxy-uuid.kind.svc-account.namespace.cluster.local
Client/Service certs: svc-account.namespace.cluster.local

This will allow the controller to correctly assign service identities that could be derived from the XDS cert.

shashankram · 2021-06-24T21:06:44Z

Resolved by #3657

draychev added the size/M 7 days (~1.5 week) label Apr 16, 2021

This was referenced Apr 16, 2021

Migration path for Service Identity #3170

Merged

Use ServiceIdentity type in catalog APIs instead of service.K8sServiceAccount #2218

Closed

draychev mentioned this issue Apr 22, 2021

catalog: Simplify ListAllowedEndpointsForService #3190

Closed

2 tasks

shashankram mentioned this issue May 21, 2021

Milestone v0.10.0 planning #2800

Closed

draychev added this to the v0.10.0 milestone Jun 2, 2021

draychev added the area/identity label Jun 22, 2021

shashankram self-assigned this Jun 24, 2021

shashankram mentioned this issue Jun 24, 2021

envoy: encode proxy identity in XDS cert #3657

Merged

shashankram closed this as completed Jun 24, 2021

draychev mentioned this issue Jun 30, 2021

(root) Identity Story #3701

Closed

6 tasks

shashankram mentioned this issue Jul 7, 2021

identity: Change (sophisticate) ServiceIdentity from a string to a struct{} so it can capture more context #3188

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

certificates: Envoy xDS Certs should have a ServiceIdentity in the CN; not ServiceAccount #3186

certificates: Envoy xDS Certs should have a ServiceIdentity in the CN; not ServiceAccount #3186

draychev commented Apr 16, 2021

draychev commented Apr 22, 2021 •

edited

Loading

shashankram commented Jun 24, 2021

shashankram commented Jun 24, 2021

certificates: Envoy xDS Certs should have a ServiceIdentity in the CN; not ServiceAccount #3186

certificates: Envoy xDS Certs should have a ServiceIdentity in the CN; not ServiceAccount #3186

Comments

draychev commented Apr 16, 2021

draychev commented Apr 22, 2021 • edited Loading

shashankram commented Jun 24, 2021

shashankram commented Jun 24, 2021

draychev commented Apr 22, 2021 •

edited

Loading