Blog for secure webhook management #5285
Conversation
|
/test lint_istio.io |
| target_release: 1.4 | ||
| --- | ||
|
|
||
| Istio has two webhooks: Galley and Sidecar Injector. Both of them are critical to Istio, |
There was a problem hiding this comment.
| Istio has two webhooks: Galley and Sidecar Injector. Both of them are critical to Istio, | |
| Istio has two webhooks: Galley and Sidecar Injector. Both of them are crucial for Istio, |
| caption="An example attack" | ||
| >}} | ||
|
|
||
| In Istio 1.4, we introduce a new feature that uses `istioctl` to securely manage webhooks, with which: |
There was a problem hiding this comment.
| In Istio 1.4, we introduce a new feature that uses `istioctl` to securely manage webhooks, with which: | |
| To protect against this kind of attack, Istio 1.4 introduces a new feature to securely manage | |
| webhooks using `istioctl`: |
|
@lei-tang Could you please verify the lint failure? |
There was a problem hiding this comment.
Thanks for the blog post announcement for the feature.
However, the text is very difficult to follow and contains forward looking statements.
@adammil2000 Could you help @lei-tang address some of the issues still present?
| target_release: 1.4 | ||
| --- | ||
|
|
||
| Istio has two webhooks: Galley and Sidecar Injector. Both of them are crucial for Istio, |
There was a problem hiding this comment.
Do not capitalize the sidecar injector unless you are referring specifically to the value in a config file.
| Istio has two webhooks: Galley and Sidecar Injector. Both of them are crucial for Istio, | |
| Istio has two webhooks: Galley and the sidecar injector. Both of them are crucial for Istio, |
There was a problem hiding this comment.
Revised accordingly.
| sidecar containers. | ||
|
|
||
| By default, Galley and Sidecar Injector manage their own webhook configurations, which may | ||
| have a security risk if they are compromised (e.g., by buffer overflow attacks). Configuring |
There was a problem hiding this comment.
| have a security risk if they are compromised (e.g., by buffer overflow attacks). Configuring | |
| have a security risk if they are compromised, for example, through buffer overflow attacks. Configuring |
There was a problem hiding this comment.
Revised accordingly.
| To protect against this kind of attack, Istio 1.4 introduces a new feature to securely manage | ||
| webhooks using `istioctl`: | ||
|
|
||
| 1. `istioctl`, instead of Galley and Sidecar Injector, manage the webhook configurations. |
There was a problem hiding this comment.
This paragraph is very confusing. @lei-tang What are the features introduced? You are not talking about istioctl but rather the ability to use istioctl to perform certain operations. Please revisit the text on this list and mke it clear to the readers the following:
- What new operations they can perform using
istioctl? - What are the new sub-commands or flags?
There was a problem hiding this comment.
The feature introduced is istioctl, instead of Galley and the sidecar injector, manage the webhook configurations. The sentences here highlights the advantages of the new feature; the details of the new feature is in the user guide.
| and whether the certificate chain used by the webhook server is valid, which reduces the errors | ||
| caused by an unready server and by invalid certificates. | ||
|
|
||
| To try this new feature, please follow its [user guide](/docs/setup/install/webhook). |
There was a problem hiding this comment.
Do not introduce the content for this functionality as part of our setup guide. The content should be within /docs/tasks/security/
There was a problem hiding this comment.
Revised accordingly.
4864147 to
a0786be
Compare
|
|
||
| Istio has two webhooks: Galley and the sidecar injector. Both of them are crucial for Istio, | ||
| with Galley validating Kubernetes resources and the sidecar injector injecting Istio | ||
| sidecar containers. |
There was a problem hiding this comment.
Istio has two webhooks: Galley and the sidecar injector. Both of them are crucial for Istio, Galley validates Kubernetes resources and the sidecar injector injects
withing sidecar containers into Istio
sidecar containers.
There was a problem hiding this comment.
Revised accordingly.
| sidecar containers. | ||
|
|
||
| By default, Galley and the sidecar injector manage their own webhook configurations, which may | ||
| have a security risk if they are compromised, for example, through buffer overflow attacks. Configuring |
There was a problem hiding this comment.
By default, Galley and the sidecar injector manage their own webhook configurations.,which may This can pose a security risk if they are compromised, for example, through buffer overflow attacks. Configuring
have
There was a problem hiding this comment.
Revised accordingly.
| have a security risk if they are compromised, for example, through buffer overflow attacks. Configuring | ||
| a webhook is a highly privileged operation as a webhook may monitor and mutate all | ||
| Kubernetes resources. In the following example, the attacker compromises | ||
| Galley and modifies the webhook configuration of Galley to eavesdrop all Kubernetes secrets |
There was a problem hiding this comment.
lley and modifies the webhook configuration of Galley to eavesdrop on all Kubernetes secrets
There was a problem hiding this comment.
Revised accordingly.
| Kubernetes resources. In the following example, the attacker compromises | ||
| Galley and modifies the webhook configuration of Galley to eavesdrop all Kubernetes secrets | ||
| (the `clientConfig` is modified by the attacker to direct the `secrets` resources to the | ||
| a service owned by the attacker). |
There was a problem hiding this comment.
(the clientConfig is modified by the attacker to direct the secrets resources to the
a service owned by the attacker).
There was a problem hiding this comment.
Revised accordingly.
| webhooks using `istioctl`: | ||
|
|
||
| 1. `istioctl`, instead of Galley and the sidecar injector, manage the webhook configurations. | ||
| Galley and the sidecar injector are de-privileged such that even if they are compromised, they |
There was a problem hiding this comment.
Galley and the sidecar injector are de-privileged such that so even if they are compromised, they
There was a problem hiding this comment.
Revised accordingly.
| will not be able to alter the webhook configurations. | ||
|
|
||
| 1. Before configuring a webhook, `istioctl` will verify whether the webhook server is up | ||
| and whether the certificate chain used by the webhook server is valid, which reduces the errors |
There was a problem hiding this comment.
Before configuring a webhook, istioctl will verify whether the webhook server is up
and whether that the certificate chain used by the webhook server is valid, which reduces the errors
There was a problem hiding this comment.
Revised accordingly.
| --- | ||
| title: Secure webhook management | ||
| description: A more secure way to manage Istio webhooks. | ||
| publishdate: 2019-10-29 |
There was a problem hiding this comment.
Should the date of both of your blogs be changed to align with the release date?
| will not be able to alter the webhook configurations. | ||
|
|
||
| 1. Before configuring a webhook, `istioctl` will verify the webhook server is up | ||
| and that the certificate chain used by the webhook server is valid, which reduces the errors |
There was a problem hiding this comment.
| and that the certificate chain used by the webhook server is valid, which reduces the errors | |
| and that the certificate chain used by the webhook server is valid. This reduces the errors |
|
|
||
| 1. Before configuring a webhook, `istioctl` will verify the webhook server is up | ||
| and that the certificate chain used by the webhook server is valid, which reduces the errors | ||
| caused by an unready server and by invalid certificates. |
There was a problem hiding this comment.
Not sure what this is saying? Maybe:
| caused by an unready server and by invalid certificates. | |
| that can occur before a server is ready or has invalid certificates. |
| and that the certificate chain used by the webhook server is valid, which reduces the errors | ||
| caused by an unready server and by invalid certificates. | ||
|
|
||
| To try this new feature, please follow its [user guide](/docs/setup/security/webhook). |
There was a problem hiding this comment.
| To try this new feature, please follow its [user guide](/docs/setup/security/webhook). | |
| To try this new feature, refer to the [Istio webhook management task](/docs/setup/security/webhook). |
| By default, Galley and the sidecar injector manage their own webhook configurations. | ||
| This can pose a security risk if they are compromised, for example, through buffer overflow attacks. | ||
| Configuring a webhook is a highly privileged operation as a webhook may monitor and mutate all | ||
| Kubernetes resources. In the following example, the attacker compromises |
There was a problem hiding this comment.
| Kubernetes resources. In the following example, the attacker compromises | |
| Kubernetes resources. | |
| In the following example, an attacker compromises |
|
@frankbu The PR has been revised based on the comments. Please take another look. Thank you! |
|
/test lint_istio.io |
|
|
||
| 1. Before configuring a webhook, `istioctl` will verify the webhook server is up | ||
| and that the certificate chain used by the webhook server is valid. This reduces the errors | ||
| that can occur before a server is ready or has invalid certificates. |
There was a problem hiding this comment.
| that can occur before a server is ready or has invalid certificates. | |
| that can occur before a server is ready or if a server has invalid certificates. |
3f04a3d to
1ac1588
Compare
This PR has URLs pointing to: #5162.
Thus the lint test will fail until these PRs are merged.
Please provide a description for what this PR is for: istio/istio#17061.
Design documents:
[1]https://docs.google.com/document/d/1VHyBre8943USOx_YEVtA18KfEoGTmLT1iBHESO5bzcA/edit#heading=h.qex63c29z2to
[2] https://docs.google.com/document/d/1v8BxI07u-mby5f5rCruwF7odSXgb9G8-C9W5hQtSIAg/edit#heading=h.xw1gqgyqs5b
And to help us figure out who should review this PR, please
put an X in all the areas that this PR affects.
[ ] Configuration Infrastructure
[ ] Docs
[ X] Installation
[ X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure