move group approver to use a subject access review #45030
Comments
mikedanese
added
the
sig/auth
|
@mikedanese This requires RBAC being enabled, and the right Roles/RoleBindings should be created, right? @mikedanese @jcbsmpsn Could you provide a short list of the implications/work items for kubeadm so we can make sure we'll get that into kubeadm v1.7? |
|
It does not require RBAC, subject access reviews will use whatever authorizer is configured. If you are using RBAC, I would expect a role for each of the individual permissions, which could be bound to bootstrap users, individual node users, or the entire node group. |
|
We will need to add an rbac role for rbac enabled kubeadm. The change should be small. |
|
So the RBAC role would look something like this then? apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: approve-node-csrs-for-<token-id>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:csrapproval:nodeclientcert
subjects:
- kind: User
name: system:bootstrap:<token-id>
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: system:csrapproval:nodeclientcert
rules:
- apiGroups:
- authorization.k8s.io/v1
resources:
- subjectaccessreviews
resourceName:
- csr/nodeclientcert
verbs:
- createI'm confused whether I guess we want to lock things down on a token (user)-level, to only let the generated-by-default-token do the TLS bootstrap and nobody else. |
|
Probably rules something more like this (where the different categories manifest as subresources of the certificatesigningrequests resource): In a role bound to the bootstrapper: - apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/nodeclient"]
verbs: ["create"]In a role to enable kubelets to rotate their own client certs (would need more thought about how to cut off a compromised node): - apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeclient"]
verbs: ["create"]In a role to enable kubelets to bootstrap/rotate their serving certs (would need more thought about how to verify the CN/SANs in the cert belong to that node, and how to cut off a compromised node): - apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeserver"]
verbs: ["create"] |
|
Are the last two roles bound to the bootstrapper? I'd imagine they'd be tied to the node themselves, which would give a good way to revoke follow-up access. apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: approve-node-client-renewal-for-<node-id>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:csrapproval:selfnodeclient
subjects:
- kind: User
name: system:node:<node-id>
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: system:csrapproval:selfnodeclient
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeclient"]
verbs: ["create"] |
|
Ah that makes sense @liggitt, thanks! This looks really good then, I think it should be prioritized for v1.7 if possible (I really want to get rid of the |
|
@ericchiang Yes, we have that option as well. |
|
I've already started working on this as part of my certificate controller refactoring. |
|
Thank you @mikedanese! Ping me for review please ;) |
Automatic merge from submit-queue (batch tested with PRs 46635, 45619, 46637, 45059, 46415)
Certificate rotation for kubelet server certs.
Replaces the current kubelet server side self signed certs with certs signed by
the Certificate Request Signing API on the API server. Also renews expiring
kubelet server certs as expiration approaches.
Two Points:
1. With `--feature-gates=RotateKubeletServerCertificate=true` set, the kubelet will
request a certificate during the boot cycle and pause waiting for the request to
be satisfied.
2. In order to have the kubelet's certificate signing request auto approved,
`--insecure-experimental-approve-all-kubelet-csrs-for-group=` must be set on
the cluster controller manager. There is an improved mechanism for auto
approval [proposed](#45030).
**Release note**:
```release-note
With `--feature-gates=RotateKubeletServerCertificate=true` set, the kubelet will
request a server certificate from the API server during the boot cycle and pause
waiting for the request to be satisfied. It will continually refresh the certificate as
the certificates expiration approaches.
```
|
This was done in #45619. Can we keep this issue open until we get some docs merge? |
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certifiate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
This includes documenting the new CSR approver built into the controller manager and the kubelet alpha features for certificate rotation. Since the CSR approver changed over the 1.7 release cycle we need to call out the migration steps for those using the alpha feature. This document as a whole could probably use some updates, but the main focus of this PR is just to get these features minimally documented before the release. ref: - kubernetes/kubernetes#45030 - kubernetes/enhancements#266 - kubernetes/enhancements#267
Right now the group approver is configured with a static group name to allow provisioning of kubelet client certificates. The group approver should move to using a subject access review. We need 3 verbs to auto approve the full kubelet flow:
csr/nodeclientcertwhich if granted indicates the group approver should approve any kubelet client shaped certificate requested.csr/selfnodeclientcertwhich if granted indicates the group approver should approve a kubelet client shaped certificate requested if the username of the csr creating user matches the subject of the csr.csr/selfnodeservercertwhich if granted indicates the group approver should approve a kubelet server shaped certificate requested if the username of the csr creating user matches the subject of the csr.Names of the verbs are a rough draft. Existence of 1 allows for a preshared cluster wide bootstrap identity that can be rotated and invalidated. Existence of 2 allows a kubelet to rotate it's own client credentials. Existence of 2 allows a kubelet to request and rotate it's own server certificate.
I'm capturing a slack conversation with @liggitt so let me know if i got something wrong.
The text was updated successfully, but these errors were encountered: