Skip to content

Conversation

howardjohn
Copy link
Member

@howardjohn howardjohn commented Oct 11, 2022

This implements the node authorization described in #41281

Note: this only implements the CA part. The ztunnel and XDS will be updated in a later PR. Because this is extremely security sensitive code, I wanted to keep the PR as small as possible.

Please provide a description of this PR:

This implements the node authorization described in
istio#41281

Note: this only implements the CA part. The ztunnel and XDS will be
updated in a later PR. Because this is extremely security sensitive
code, I wanted to keep the PR as small as possible.
@howardjohn howardjohn added the release-notes-none Indicates a PR that does not require release notes. label Oct 11, 2022
@howardjohn howardjohn requested review from a team as code owners October 11, 2022 23:42
@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 11, 2022
if len(res) == 0 {
return fmt.Errorf("no instances of %q found on node %q", k.ServiceAccount, k.Node)
}
serverCaLog.Debugf("Node caller ")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

serverCaLog.Debugf("Node caller ")
Should the Debugf statement here include who is the node caller?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! Good catch... I must have got distracted half way through writing this line :-)

// This should never happen (only possible if the index doesn't exist)
return fmt.Errorf("failed to find node local service accounts: %v", err)
}
// We don't care what pods are part of the index, only that there is at least one. If there is one,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this function checks that the ztunnel and the pod for which the ztunnel requests a certificate are on the same node?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly

Copy link
Contributor

@costinm costinm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now we don't use the common name part of the cert - any chance we can add something there (not sure in what format) to support a way to identify such certificates ? It may also
be worth adding the node ID and pod ID - may be a bit of an abuse of the CN field, not sure if there is a better place to convey this information.

@istio-testing istio-testing added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 12, 2022
@howardjohn
Copy link
Member Author

/retest

1 similar comment
@howardjohn
Copy link
Member Author

/retest

@@ -418,6 +419,30 @@ var (
return strings.Split(trustedGatewayCIDR.Get(), ",")
}()

CATrustedNodeAccounts = func() map[types.NamespacedName]struct{} {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How permanent is this intended to be? If we want to stop trusting some service account, we'd have to restart istiods.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intent is you have 1 ztunnel and that is the only one ever configured. We can move to mesh config if needed though

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The maybe impossible scenario I imagined is somehow something talking to istiod manages to hijack the identity of the ztunnel and grab all the node certs.

@istio-testing istio-testing merged commit 82cdfb8 into istio:experimental-ambient Oct 13, 2022
@howardjohn howardjohn mentioned this pull request Oct 21, 2022
25 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-notes-none Indicates a PR that does not require release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants