Support IPsec Certificate-based Authentication #3765

xliuxu · 2022-05-11T02:32:26Z

Describe what you are trying to solve
The current Antrea IPSec support can only use preshared shared key (PSK) authentication with static manually created keys. This is too limited for serious use in enterprise networks.

Describe the solution you have in mind
OVS supports authenticating tunnel endpoints using x509 version 3 certificates. Antrea only needs to manage the certificates and load them to each Node. OVS toolkits will be responsible for monitoring and configuring the IKE daemon.

Describe how your solution impacts user flows

Describe the main design/architecture of your solution

Antrea Controller creates self signed root CA for IPsec and watches for CertificateSigningRequest with signer name antrea.io/antrea-agent-ipsec-tunnel
Each Antrea Agent create CSR with its own Node name. For clusters enabled BoundServiceAccountTokenVolume (enabled by default since Kubernetes 1.21) there will be extra fields to identify the Pods added by the Kubernetes API server.

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
 name: k8s-node-control-plane-ipsec-xxx
spec:
  extra:
    authentication.kubernetes.io/pod-name:
    - antrea-agent-5vjjf
    authentication.kubernetes.io/pod-uid:
    - 3ede5c83-b42a-4f64-a325-a91d3db09d72
  request: <PEM encoded CSR>
  signerName: antrea.io/antrea-agent-ipsec-tunnel
 usages:
  - ipsec tunnel

Antrea Controller verify the CSR by checking:

the usage matches ["ipsec tunnel"].
the decoded CSR in .spec.request has valid CN and SAN name.
the Pod in .spec.extra is on the Node which the CSR requests.

Antrea Controller Approve and Sign the CSR. Antrea should not auto-approve the CSR for clusters not enabled BoundServiceAccountTokenVolume and also provide a switch to disable the AutoApprove` feature for security concerns.
Antrea Agent saves the CSR and configure OVS bridge to load certificates. To trigger reloading of ovs-monitor-ipsec daemon, the cert and key file names should be changed during certificate rotation.

# ovs-vsctl set Open_vSwitch . \
other_config:certificate=/etc/ipsec.d/certs/k8s-node-control-plane-cert-xxx.pem \
other_config:private_key=/etc/ipsec.d/private/k8s-node-control-plane-privkey-xxx.pem \
other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem

Antrea Agent should rotate the signed certificates when the certificate is about to expire.

Test plan
TBD

Additional context
Slides for the proposal.

The text was updated successfully, but these errors were encountered:

Introduce antrea-signer to sign CertificateSigningRequests requested by Antrea Agents for IPsec authentication. Fixes: antrea-io#3765 Signed-off-by: Xu Liu <xliu2@vmware.com>

jianjuns · 2022-05-14T20:37:43Z

The proposal looks good to me. We should support user provided CA cert too.

A question: I assume uthentication.kubernetes.io/pod-name is auto populated by K8s, not added by antrea-agent right?

xliuxu · 2022-05-16T13:30:22Z

For user-provided CA, do we need user to provide the CA and also privatekey in order to sign certificates for Nodes? Or do you mean that user only need to provide the CA certificate, and they will also need to sign and manage certificates for all Nodes. If the latter applies, the potential issue is that we may need users to save all the certificates and private keys for Nodes to one single Secret as antrea-agent Daemonset need to mount them.

authentication.kubernetes.io/pod-name will be added by the apiserver during creation and it is immutable. it requires BoundServiceAccountTokenVolume feature gate to be enabled (enabled by default since 1.21).

I think we can add an option called ApprovePolicy, and it will have three options:

Never - antrea-controller will never auto approve the CSR created by antrea-agents.
IfAuthenticated - antrea-controller will leverage the BoundServiceAccountTokenVolume to verify CSR by the extra field.
Always - antrea-controller will only check for necessary constraints for IPsec certificates. It will auto-approve the CSR no matter whether BoundServiceAccountTokenVolume is enabled or not, as long as the CSR for IPsec is valid.

And I am not sure whether IfAuthenticated is a good name. Any suggestion would be appreciated.

jianjuns · 2022-05-16T15:32:23Z

I meant users to provide CA private key.

The three options sound good to me. "IfAuthenticated" - how about ValidateAgentPodName.

xliuxu · 2022-05-17T15:26:40Z

Thank you @jianjuns. btw, do we need a feature gate for this feature? Or should we replace the PSK-based verification completely?

jianjuns · 2022-05-17T15:56:15Z

We should keep PSK as it is a simpler solution. Need to look at your code to know if we need a feature gate for cert or not. But at least we need a way to decide which mode to use (e.g. based on if PSK or CA cert provided or not, default to cert).

Introduce signer antrea.io/antrea-agent-ipsec-tunnel to sign CertificateSigningRequests requested by Antrea Agents for IPsec certificated-based authentication and supports automatically rotation. Closes: antrea-io#3765 Signed-off-by: Xu Liu <xliu2@vmware.com>

Introduce a new authentication mode for IPsec tunnel encryption. A new config `ipsec.authenticationMode` is added to the Agent. Now Antrea supports both "psk" and "cert" modes for IPsec authentication If "cert" is enabled, Antrea Agent will request IPsec certificates by Kubernetes CertificateSigningRequests API with signer name `antrea.io/antrea-agent-ipsec-tunnel`. Antrea Controller will validate the requests and issue certificates if the request is permitted. The signer `antrea.io/antrea-agent-ipsec-tunnel` in Antrea Controller has the following properties: - Trust distribution - CA certificate will be saved as a ConfigMap `antrea-ipsec-ca` in `kube-system` namespace. - Permitted subjects - organizations are exactly ["antrea.io"], common name must be one of the Node names. - Permitted x509 extension - honors key usage and DNSName extensions, forbids other subjectAltName extensions. DNS name must be the same as the common name. - Permitted key usages - exactly ["ipsec tunnel"] - Expiration/certificate lifetime - defaults to 1 year. - CA bit allowed/disallowed - not allowed. The CSR can be automatically approved by default if Kubernetes BoundServiceAccountTokenVolume feature gate is enabled. Antrea Agents will renew certificates automatically when the certificate reaches approximately 80% of the lifetime. Closes: antrea-io#3765 Signed-off-by: Xu Liu <xliu2@vmware.com>

Introduce a new authentication mode for IPsec tunnel encryption. A new config `ipsec.authenticationMode` is added to the Agent. Now Antrea supports both "psk" and "cert" modes for IPsec authentication If "cert" is enabled, Antrea Agent will request IPsec certificates by Kubernetes CertificateSigningRequests API with signer name `antrea.io/antrea-agent-ipsec-tunnel`. Antrea Controller will validate the requests and issue certificates if the request is permitted. The signer `antrea.io/antrea-agent-ipsec-tunnel` in Antrea Controller has the following properties: - Trust distribution - CA certificate will be saved as a ConfigMap `antrea-ipsec-ca` in `kube-system` namespace. - Permitted subjects - organizations are exactly ["antrea.io"], common name must be one of the Node names. - Permitted x509 extension - honors key usage and DNSName extensions, forbids other subjectAltName extensions. DNS name must be the same as the common name. - Permitted key usages - exactly ["ipsec tunnel"] - Expiration/certificate lifetime - defaults to 1 year. - CA bit allowed/disallowed - not allowed. The CSR can be automatically approved by default if Kubernetes `BoundServiceAccountTokenVolume` feature gate is enabled. Antrea Agents will renew certificates automatically when the certificate reaches approximately 80% of the lifetime. This feature requires feature gate `IPsecCertAuth` to be enabled. Closes: antrea-io#3765 Signed-off-by: Xu Liu <xliu2@vmware.com>

Introduce a new authentication mode for IPsec tunnel encryption. A new config `ipsec.authenticationMode` is added to the Agent. Now Antrea supports both "psk" and "cert" modes for IPsec authentication If "cert" is enabled, Antrea Agent will request IPsec certificates by Kubernetes CertificateSigningRequests API with signer name `antrea.io/antrea-agent-ipsec-tunnel`. Antrea Controller will validate the requests and issue certificates if the request is permitted. The signer `antrea.io/antrea-agent-ipsec-tunnel` in Antrea Controller has the following properties: - Trust distribution - CA certificate will be saved as a ConfigMap `antrea-ipsec-ca` in `kube-system` namespace. - Permitted subjects - organizations are exactly ["antrea.io"], common name must be one of the Node names. - Permitted x509 extension - honors key usage and DNSName extensions, forbids other subjectAltName extensions. DNS name must be the same as the common name. - Permitted key usages - exactly ["ipsec tunnel"] - Expiration/certificate lifetime - defaults to 1 year. - CA bit allowed/disallowed - not allowed. The CSRs can be automatically approved by default. Antrea Controller will validate Pod identity to provide maximum security if the Kubernetes `BoundServiceAccountTokenVolume` feature gate is enabled. Antrea Agents will renew certificates automatically when the certificate reaches approximately 80% of the lifetime. This feature requires feature gate `IPsecCertAuth` to be enabled. Closes: antrea-io#3765 Signed-off-by: Xu Liu <xliu2@vmware.com>

Introduce a new authentication mode for IPsec tunnel encryption. A new config `ipsec.authenticationMode` is added to the Agent. Now Antrea supports both "psk" and "cert" modes for IPsec authentication If "cert" is enabled, Antrea Agent will request IPsec certificates by Kubernetes CertificateSigningRequests API with signer name `antrea.io/antrea-agent-ipsec-tunnel`. Antrea Controller will validate the requests and issue certificates if the request is permitted. The signer `antrea.io/antrea-agent-ipsec-tunnel` in Antrea Controller has the following properties: - Trust distribution - CA certificate will be saved as a ConfigMap `antrea-ipsec-ca` in `kube-system` namespace. - Permitted subjects - organizations are exactly ["antrea.io"], common name must be one of the Node names. - Permitted x509 extension - honors key usage and DNSName extensions, forbids other subjectAltName extensions. DNS name must be the same as the common name. - Permitted key usages - exactly ["ipsec tunnel"] - Expiration/certificate lifetime - defaults to 1 year. - CA bit allowed/disallowed - not allowed. The CSRs can be automatically approved by default. Antrea Controller will validate Pod identity to provide maximum security if the Kubernetes `BoundServiceAccountTokenVolume` feature gate is enabled. Antrea Agents will renew certificates automatically when the certificate reaches approximately 80% of the lifetime. This feature requires feature gate `IPsecCertAuth` to be enabled. Closes: #3765 Signed-off-by: Xu Liu <xliu2@vmware.com>

xliuxu added the kind/design Categorizes issue or PR as related to design. label May 11, 2022

xliuxu self-assigned this May 11, 2022

xliuxu mentioned this issue May 25, 2022

Support IPsec Certificate-based Authentication #3778

Merged

tnqn closed this as completed in #3778 May 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support IPsec Certificate-based Authentication #3765

Support IPsec Certificate-based Authentication #3765

xliuxu commented May 11, 2022 •

edited

Loading

jianjuns commented May 14, 2022

xliuxu commented May 16, 2022 •

edited

Loading

jianjuns commented May 16, 2022 •

edited

Loading

xliuxu commented May 17, 2022

jianjuns commented May 17, 2022

Support IPsec Certificate-based Authentication #3765

Support IPsec Certificate-based Authentication #3765

Comments

xliuxu commented May 11, 2022 • edited Loading

jianjuns commented May 14, 2022

xliuxu commented May 16, 2022 • edited Loading

jianjuns commented May 16, 2022 • edited Loading

xliuxu commented May 17, 2022

jianjuns commented May 17, 2022

xliuxu commented May 11, 2022 •

edited

Loading

xliuxu commented May 16, 2022 •

edited

Loading

jianjuns commented May 16, 2022 •

edited

Loading