ambient: ca: Implement node authorization #41379
Conversation
This implements the node authorization described in istio#41281 Note: this only implements the CA part. The ztunnel and XDS will be updated in a later PR. Because this is extremely security sensitive code, I wanted to keep the PR as small as possible.
security/pkg/server/ca/node_auth.go
Outdated
| if len(res) == 0 { | ||
| return fmt.Errorf("no instances of %q found on node %q", k.ServiceAccount, k.Node) | ||
| } | ||
| serverCaLog.Debugf("Node caller ") |
There was a problem hiding this comment.
serverCaLog.Debugf("Node caller ")
Should the Debugf statement here include who is the node caller?
There was a problem hiding this comment.
Yes! Good catch... I must have got distracted half way through writing this line :-)
| // This should never happen (only possible if the index doesn't exist) | ||
| return fmt.Errorf("failed to find node local service accounts: %v", err) | ||
| } | ||
| // We don't care what pods are part of the index, only that there is at least one. If there is one, |
There was a problem hiding this comment.
Does this function checks that the ztunnel and the pod for which the ztunnel requests a certificate are on the same node?
There was a problem hiding this comment.
Right now we don't use the common name part of the cert - any chance we can add something there (not sure in what format) to support a way to identify such certificates ? It may also
be worth adding the node ID and pod ID - may be a bit of an abuse of the CN field, not sure if there is a better place to convey this information.
|
/retest |
1 similar comment
|
/retest |
| @@ -418,6 +419,30 @@ var ( | |||
| return strings.Split(trustedGatewayCIDR.Get(), ",") | |||
| }() | |||
|
|
|||
| CATrustedNodeAccounts = func() map[types.NamespacedName]struct{} { | |||
There was a problem hiding this comment.
How permanent is this intended to be? If we want to stop trusting some service account, we'd have to restart istiods.
There was a problem hiding this comment.
Intent is you have 1 ztunnel and that is the only one ever configured. We can move to mesh config if needed though
There was a problem hiding this comment.
The maybe impossible scenario I imagined is somehow something talking to istiod manages to hijack the identity of the ztunnel and grab all the node certs.
This implements the node authorization described in #41281
Note: this only implements the CA part. The ztunnel and XDS will be updated in a later PR. Because this is extremely security sensitive code, I wanted to keep the PR as small as possible.
Please provide a description of this PR: