-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: kubelet authentication/authorization #32518
Proposal: kubelet authentication/authorization #32518
Conversation
cc @kubernetes/sig-auth @kubernetes/sig-node @roberthbailey @mikedanese @cjcullen @erictune @kayrus @deads2k |
cc @kubernetes/sig-cluster-lifecycle |
|
||
This proposal assumes the existence of: | ||
|
||
* a functioning API server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this a chicken-egg supposition. /cc @mikedanese
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, you don't need to call the kubelet API to bootstrap an apiserver with a kubelet
GCE e2e build/test passed for commit cf6efb2aabdae41e6816eed84299003a4892c5b7. |
This is something we want to get fixed up in v1.5. cc @ericchiang @aaronlevy @yifan-gu @euank @pbx0 |
|
||
### Anonymous | ||
|
||
Add a new `--anonymous-auth=[true|false]` option to the kubelet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this is in use in various places, is this the first time this is part of Kube?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
part of #32386 for the apiserver
Looks fairly similar to what works already in OpenShift - the other flags look consistent with our current uses in apiserver. Bootstrapping may in the future want to play in this mode, although I prefer bootstrapping to be a pre-stage to full kubelet startup and the kubelet to be required to transition from bootstrap into one of these modes explicitly. |
Automatic merge from submit-queue Allow webhook authenticator to use TokenReviewsInterface Refactors the authentication webhook to be able to be fed a kubeconfig file or a TokenReviewsInterface Fixes a bug with webhooks not retrying on 429/500 errors Related to #32518 (comment)
cf6efb2
to
b626a82
Compare
@alex-mohr @roberthbailey @cjcullen |
The master API server can already be started with `--kubelet-client-certificate` and | ||
`--kubelet-client-key` options in order to make authenticated requests to the kubelet. | ||
|
||
### Bearer token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is a bearer token method really necessary? Are there many scenarios for users accessing the Kubelet API or can we lock this down even further?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in openshift, we've been able to eliminate the unsecured kubelet port, and have heapster gather stats and metrics data using a service account token against the secured kubelet port
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm for this particular part of the proposal staying in. Being able to centrally administer what has access to these endpoints is great. And the tooling around issuance and revocation of service accounts is much more built out than our PKI and CRL infrastructure.
The overall proposal accurately represents most of the security discussions we had when locking the Kubelet down in OpenShift and seems broadly in line with our existing apiserver flags and direction. This proposal LGTM - can folks on this proposal who have concerns still do a pass and raise those soon so we can move forward? |
|
||
## API Changes | ||
|
||
None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible new resources for the SubjectAccessReview?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no API changes are needed to support the SubjectAccessReviews the kubelet would submit (it would express the checks in verb
and group/version/resource/subresource/name
terms)
@smarterclayton I'm +1 on this. |
LGTM |
@erictune any last comments? |
I'd really like one of @cjcullen @alex-mohr @roberthbailey to take a look at this because this relies on SubjectAccessReview and TokenReviews, which we don't expose on GKE. |
GKE does not enable the SubjectAccessReview and TokenReview APIs because we don't really want to support those as generic Kubernetes APIs. I'm not completely opposed to providing this as an option for kubelet auth, but it feels fishy to me. We don't want to expose the TokenReview endpoint on GKE, because it could possibly allow 3rd parties to inspect I don't think overloading SubjectAccessReview for kubelet authz is a great idea. We would be crossing the namespaces of kubelet resources and kubernetes resources. SubjectAccessReview is currently pretty purpose-built for the user-facing Kubernetes API. Do we see the kubelet API becoming more of a user-facing thing? If not, SubjectAccessReview feels like overkill. I think the x509 option provides the cleanest way forward for GKE. As a first step, we could mint a cert for kube-apiserver and a cert for heapster with a separate CA than the one we use for the apiserver's certs, and then AllowAll inside the kubelet. This would add another place to worry about cert rotation, and would make a compromised heapster a potential avenue to long-lived access to any pod. To mitigate that a bit, we could make authz give read-write to kube-apiserver and read-only to heapster. LGTM to the proposal (to unblock any work that is waiting). I don't see the webhook options as viable paths forward for GKE (without rethinking other things), but I think the other options here will get us going the right direction. Thanks @liggitt for putting this together. |
I'll say our view is somewhat biased because the vast majority of deployed The kubelet API today is user facing in two directions - administrative I don't think it's unreasonable that the authorizer on the kubelet have On Oct 4, 2016, at 8:22 PM, Eric Tune notifications@github.com wrote: I'd really like one of @cjcullen https://github.com/cjcullen @alex-mohr — |
If no other comments, LGTM. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small tweak. Hopefully not disruptive.
|
||
### x509 client certificate | ||
|
||
Add a new `--client-ca-file=[file]` option to the kubelet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick comment -- any place where we have a CA certificate we should support a bundle or a set of certificates. Otherwise it is almost impossible to do key rotation.
We should also make sure that we plan to have this stuff driven by component configs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. File could be a bundle, just like the API server. Also, we'd hook up the CRL bits here as soon as we have them worked out for the apiserver authenticator.
Automatic merge from submit-queue |
Automatic merge from submit-queue Allow webhook authorizer to use SubjectAccessReviewInterface Refactors the authorization webhook to be able to be fed a kubeconfig file or a SubjectAccessReviewsInterface Added tests to exercise retry logic, and ensure the correct serialized version is sent to the remote webhook (I also made sure the new tests passed on the current webhook impl in master) c.f. #32547 c.f. #32518
Automatic merge from submit-queue Proposal: kubelet authentication/authorization Proposal for kubernetes/enhancements#89
Automatic merge from submit-queue Allow webhook authorizer to use SubjectAccessReviewInterface Refactors the authorization webhook to be able to be fed a kubeconfig file or a SubjectAccessReviewsInterface Added tests to exercise retry logic, and ensure the correct serialized version is sent to the remote webhook (I also made sure the new tests passed on the current webhook impl in master) c.f. kubernetes/kubernetes#32547 c.f. kubernetes/kubernetes#32518
Proposal for kubernetes/enhancements#89
This change is