Support IPsec Certificate-based Authentication

Introduce a new authentication mode for IPsec tunnel encryption. A new config `ipsec.authenticationMode` is added to the Agent. Now Antrea supports both "psk" and "cert" modes for IPsec authentication If "cert" is enabled, Antrea Agent will request IPsec certificates by Kubernetes CertificateSigningRequests API with signer name `antrea.io/antrea-agent-ipsec-tunnel`. Antrea Controller will validate the requests and issue certificates if the request is permitted. The signer `antrea.io/antrea-agent-ipsec-tunnel` in Antrea Controller has the following properties: - Trust distribution - CA certificate will be saved as a ConfigMap `antrea-ipsec-ca` in `kube-system` namespace. - Permitted subjects - organizations are exactly ["antrea.io"], common name must be one of the Node names. - Permitted x509 extension - honors key usage and DNSName extensions, forbids other subjectAltName extensions. DNS name must be the same as the common name. - Permitted key usages - exactly ["ipsec tunnel"] - Expiration/certificate lifetime - defaults to 1 year. - CA bit allowed/disallowed - not allowed. The CSRs can be automatically approved by default. Antrea Controller will validate Pod identity to provide maximum security if the Kubernetes `BoundServiceAccountTokenVolume` feature gate is enabled. Antrea Agents will renew certificates automatically when the certificate reaches approximately 80% of the lifetime. This feature requires feature gate `IPsecCertAuth` to be enabled. Closes: #3765 Signed-off-by: Xu Liu <xliu2@vmware.com>
antrea-io · May 30, 2022 · 82e6835 · 82e6835
1 parent 05504f0
commit 82e6835
Show file tree

Hide file tree

Showing 40 changed files with 3,860 additions and 111 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -73,6 +73,10 @@ Kubernetes: `>= 1.16.0-0`
 | flowCollector.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |
 | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/antrea-ubuntu","tag":"latest"}` | Container image to use for Antrea components. |
+| ipsec.authenticationMode | string | `"psk"` | The authentication mode to use for IPsec. Must be one of "psk" or "cert". |
+| ipsec.csrSigner | object | `{"autoApprove":true,"selfSignedCA":true}` | CSR signer configuration when the authenticationMode is "cert". |
+| ipsec.csrSigner.autoApprove | bool | `true` | - Enable auto approval of Antrea signer for IPsec certificates. |
+| ipsec.csrSigner.selfSignedCA | bool | `true` | - Whether or not to use auto-generated self-signed CA. |
 | ipsec.psk | string | `"changeme"` | Preshared Key (PSK) for IKE authentication. It will be stored in a secret and passed to antrea-agent as an environment variable. |
 | kubeAPIServerOverride | string | `""` | Address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. |
 | logVerbosity | int | `0` |  |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -50,6 +50,9 @@ featureGates:
 # Enable mirroring or redirecting the traffic Pods send or receive.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}
 
+# Enable certificated-based authentication for IPsec.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}
@@ -279,3 +282,13 @@ antreaProxy:
   # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
   proxyLoadBalancerIPs: {{ .proxyLoadBalancerIPs }}
 {{- end }}
+
+# IPsec tunnel related configurations.
+ipsec:
+{{- with .Values.ipsec }}
+  # The authentication mode of IPsec tunnel. It has the following options:
+  # - psk (default): Use pre-shared key (PSK) for IKE authentication.
+  # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
+  #                  feature gate to be enabled.
+  authenticationMode: {{ .authenticationMode | quote }}
+{{- end }}
diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf
@@ -25,6 +25,9 @@ featureGates:
 # Enable managing external IPs of Services of LoadBalancer type.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
 
+# Enable certificated-based authentication for IPsec.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
+
 # The port for the antrea-controller APIServer to serve on.
 # Note that if it's set to another value, the `containerPort` of the `api` port of the
 # `antrea-controller` container must be set to the same value.
@@ -71,3 +74,19 @@ nodeIPAM:
   # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
   nodeCIDRMaskSizeIPv6: {{ .nodeCIDRMaskSizeIPv6 }}
 {{- end }}
+
+ipsecCSRSigner:
+{{- with .Values.ipsec }}
+  # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management.
+  # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions
+  # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled,
+  # the Pod identity will also be validated to provide maximum security.
+  # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved
+  # manually by `kubectl certificate approve`.
+  autoApprove: {{ .csrSigner.autoApprove }}
+  # Indicates whether to use auto-generated self-signed CA certificate.
+  # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+  #   tls.crt: <CA certificate>
+  #   tls.key: <CA private key>
+  selfSignedCA: {{ .csrSigner.selfSignedCA }}
+{{- end }}
diff --git a/build/charts/antrea/templates/agent/clusterrole.yaml b/build/charts/antrea/templates/agent/clusterrole.yaml
@@ -180,3 +180,12 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - watch
+      - list
+      - create
diff --git a/build/charts/antrea/templates/agent/daemonset.yaml b/build/charts/antrea/templates/agent/daemonset.yaml
@@ -205,6 +205,11 @@ spec:
           - name: host-var-run-antrea
             mountPath: /var/run/openvswitch
             subPath: openvswitch
+          {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+          - name: antrea-ipsec-ca
+            mountPath: /var/run/openvswitch/ca
+            readOnly: true
+          {{- end }}
           # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
           # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
           - name: host-var-run-antrea
@@ -305,6 +310,9 @@ spec:
           - name: host-var-log-antrea
             mountPath: /var/log/strongswan
             subPath: strongswan
+          - mountPath: /etc/ipsec.d/cacerts
+            name: antrea-ipsec-ca
+            readOnly: true
         {{- end }}
       volumes:
         - name: antrea-config
@@ -322,6 +330,12 @@ spec:
         - name: host-var-run-netns
           hostPath:
             path: /var/run/netns
+        {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+        - name: antrea-ipsec-ca
+          configMap:
+            name: antrea-ipsec-ca
+            optional: true
+        {{- end }}
         - name: host-var-run-antrea
           hostPath:
             path: /var/run/antrea

diff --git a/build/charts/antrea/templates/controller/clusterrole.yaml b/build/charts/antrea/templates/controller/clusterrole.yaml
@@ -80,14 +80,26 @@ rules:
       - configmaps
     resourceNames:
       - antrea-ca
+      - antrea-ipsec-ca
       - antrea-cluster-identity
     verbs:
       - get
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-ipsec-ca
+    verbs:
+      - get
+      - update
+      - watch
   - apiGroups:
       - ""
     resources:
       - configmaps
+      - secrets
     verbs:
       - create
   - apiGroups:
@@ -128,6 +140,30 @@ rules:
     verbs:
       - get
       - update
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests/approval
+    - certificatesigningrequests/status
+    verbs:
+    - update
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - signers
+    resourceNames:
+    - antrea.io/antrea-agent-ipsec-tunnel
+    verbs:
+    - approve
+    - sign
   - apiGroups:
       - crd.antrea.io
     resources:

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -59,9 +59,17 @@ wireGuard:
   port: 51820
 
 ipsec:
+  # -- The authentication mode to use for IPsec. Must be one of "psk" or "cert".
+  authenticationMode: "psk"
   # -- Preshared Key (PSK) for IKE authentication. It will be stored in a secret
   # and passed to antrea-agent as an environment variable.
   psk: "changeme"
+  # -- CSR signer configuration when the authenticationMode is "cert".
+  csrSigner:
+    # --- Enable auto approval of Antrea signer for IPsec certificates.
+    autoApprove: true
+    # --- Whether or not to use auto-generated self-signed CA.
+    selfSignedCA: true
 
 egress:
   # -- CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -108,6 +108,9 @@ data:
     # Enable mirroring or redirecting the traffic Pods send or receive.
     #  TrafficControl: false
 
+    # Enable certificated-based authentication for IPsec.
+    #  IPsecCertAuth: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -312,6 +315,14 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+
+    # IPsec tunnel related configurations.
+    ipsec:
+      # The authentication mode of IPsec tunnel. It has the following options:
+      # - psk (default): Use pre-shared key (PSK) for IKE authentication.
+      # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
+      #                  feature gate to be enabled.
+      authenticationMode: "psk"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -363,6 +374,9 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
+    # Enable certificated-based authentication for IPsec.
+    #  IPsecCertAuth: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -404,6 +418,20 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecCSRSigner:
+      # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management.
+      # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions
+      # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled,
+      # the Pod identity will also be validated to provide maximum security.
+      # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved
+      # manually by `kubectl certificate approve`.
+      autoApprove: true
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   tls.crt: <CA certificate>
+      #   tls.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -2996,6 +3024,15 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - watch
+      - list
+      - create
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -3157,14 +3194,26 @@ rules:
       - configmaps
     resourceNames:
       - antrea-ca
+      - antrea-ipsec-ca
       - antrea-cluster-identity
     verbs:
       - get
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-ipsec-ca
+    verbs:
+      - get
+      - update
+      - watch
   - apiGroups:
       - ""
     resources:
       - configmaps
+      - secrets
     verbs:
       - create
   - apiGroups:
@@ -3205,6 +3254,30 @@ rules:
     verbs:
       - get
       - update
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests/approval
+    - certificatesigningrequests/status
+    verbs:
+    - update
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - signers
+    resourceNames:
+    - antrea.io/antrea-agent-ipsec-tunnel
+    verbs:
+    - approve
+    - sign
   - apiGroups:
       - crd.antrea.io
     resources:
@@ -3496,7 +3569,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: fd449f30e949fff2d22ed79bca0a040535429c5b605b7b93dfdbfd3b359115ae
+        checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb
       labels:
         app: antrea
         component: antrea-agent
@@ -3736,7 +3809,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: fd449f30e949fff2d22ed79bca0a040535429c5b605b7b93dfdbfd3b359115ae
+        checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb
       labels:
         app: antrea
         component: antrea-controller