Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypt cluster traffic to limit access through certificate data #469

Closed
davidpelaez opened this issue Nov 19, 2015 · 21 comments
Closed

Encrypt cluster traffic to limit access through certificate data #469

davidpelaez opened this issue Nov 19, 2015 · 21 comments

Comments

@davidpelaez
Copy link

This is somewhat related to #227 but not sure it's the same. Before production use makes sense there's gotta be control into who can join the cluster and under what role.

The consul MO https://www.consul.io/docs/agent/encryption.html seems like a nice beginning but I don't know if we could also limit client/server and admin roles using data on the certificates. This is something used in OpenVPN servers for instance where I can ask my client to confirm that the server's presented certificate is indeed that one of a server and not any other signed by the CA.

Finally it would be great if certificate information is distributed on the cluster as a safe way to make client claims. For instance, any machine can claim a datacenter name in the config but how do we know it's true? Evidence of a source of validation to a claim made by a node would be radically useful for high security controls. Also this could be used with custom drivers for highly audited executions where node introspection would enable a distributed, verifiable source of truth to determine if something should be performed or not.

@davidpelaez davidpelaez changed the title Encrypt cluster traffic to limit access Encrypt cluster traffic to limit access through certificate data Nov 19, 2015
@davidpelaez
Copy link
Author

This issue could be of course named with a broader title, I just wanted to use the most descriptive one I could find to begin with.

@cbednarski
Copy link
Contributor

Thanks for the suggestions. There are a handful of issues you identified here, including:

  • Secure communication
  • Authenticated Membership
  • Client identity management
  • Secure introduction
  • Auditing

I think Nomad should be able to handle the first two cases. In the latter three cases, though, you will likely need to use a security toolset like Vault or features of your platform (i.e. centralized logging, controlling who can create new instances in your VPC, etc.).

We want to make these things easy in Nomad but we will need to rely on other tools to do some of the heavy lifting.

@davidpelaez
Copy link
Author

@cbednarski thanks for summarizing in a much clearer list my presented points. I agree in the benefits of having other tools provide the heavy lifting. However I think the security implications of not including a feature should be carefully considered.

If we don't include something like client identity management (please correct me if I'm wrong) there's not way to establish per node controls into what gets to run on them hence putting the trust in the whole set of nodes as a whole without much space to isolate the effects of one node being compromised. If I have a large nomad cluster with private and public nodes separated in a VPC topology I would like to have some guarantees of the security of the whole system if one node is compromised.

This of course could be a totally new conversation to enhance the considered threat model once secure communication and authenticated membership is handled? They don't see all that disconnected to me but I understand the potential practicality of splitting it.

This also related to other points I shared regarding custom drivers and driver white listing, many isolation controls could be customized at the driver level to ensure the security constraints can be finely controlled by the implementer. With this line of thought instead of isolating the concerns adding @cbednarski first two points and custom drivers as external binaries could unlock extremely flexible security guarantees.

@maticmeznar
Copy link

Has there been any progress on encrypting/authenticating cluster traffic? If I understand this correctly, Nomad is currently insecure and therefore should not be used in production?

@dadgar
Copy link
Contributor

dadgar commented Feb 3, 2016

@maticmeznar: There has not been work on this yet. The question of whether it can be used in production without these features depends on the security requirements of your firm and whether you have a trusted environment. For many cases, this is not a halter on production but none the less it is an important addition that we look forward to supporting.

@ConnorJC3
Copy link

Last post on this is >month old, is there any progress on this?

@dadgar
Copy link
Contributor

dadgar commented Mar 10, 2016

No there hasn't been. There are other higher priority features for Nomad
that we have been tackling. We will update this ticket once there is a
change.

On Thu, Mar 10, 2016 at 1:12 PM, Connor Catlett [email protected]
wrote:

Last post on this is >month old, is there any progress on this?


Reply to this email directly or view it on GitHub
#469 (comment).

@ConnorJC3
Copy link

Understood, thanks for the information.

@SamMauldin
Copy link

Is there a recommended way to run nomad securely currently on a platform without private networking? (e.g. Digital Ocean)

@maticmeznar
Copy link

You could use IPSec.

On 21. 04. 2016 03:59, Sam Mauldin wrote:

Is there a recommended way to run nomad securely currently on a
platform without private networking? (e.g. Digital Ocean)


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#469 (comment)

@kevincox
Copy link

@maticmeznar The problem with even this is that any user on your machine can access nomad. If I use certificates or passwords that are only readable by root and a service on my servers is compromised they only get one user on one node. Where as if nomad is restricted by network permissions once they compromise any server they can spawn tasks across all my nodes as any user. That's a huge difference in separation.

@Gerrrr
Copy link
Contributor

Gerrrr commented Jun 14, 2016

Hello,

Are you open to a PR on securing RPC communication and authenticating membership?

Do you have a configuration API in mind? My proposal is to use the same configuration parameters as in Consul - verify_incoming, verify_outgoing, verify_server_hostname since they are already a part of tlsutil API.

@dadgar
Copy link
Contributor

dadgar commented Jun 14, 2016

@Gerrrr I think the first step would be to collaborate on a design document and then a PR

@Gerrrr
Copy link
Contributor

Gerrrr commented Aug 3, 2016

@dadgar, please have a look at the proposed changes and questions:

RPC

Server encryption:

  • Introduce new general options in nomad/config and command/agent/config: VerifyIncoming, VerifyOutgoing, CAFile, CertFile, KeyFile
  • Add corresponding options to command/agent/config_parse.parseServer - verify_incoming, verify_outgoing, ca_file, cert_file, key_file
  • Replace tls stubs in nomad/server.NewServer with consul/tlsutil tls wrappers

Client encryption:

  • make nomad.config/tlsConfig available outside of nomad package
  • Create tls wraper in agent.agent/setupClient and pass it to the client.NewClient.connPool

Questions:

  • Since there are no legacy reasons in Nomad to introduce VerifyServerHostname, should the hostnames be automatically verified when VerifyOutgoing is enabled?
  • I would like to suggest server.<datacenter>.<region> format of the certificates' common names. What do you think?

Serf

Proof of concept: https://github.com/Gerrrr/nomad/tree/feature/serf_encryption

@kevincox
Copy link

That looks good to me!

(I didn't audit it but the code looked reasonable)

@dadgar
Copy link
Contributor

dadgar commented Aug 16, 2016

@Gerrrr That looks like a great plan actually! Let me know if you are going to be tackling this work as it was something I was going to do rather soon! So we should coordinate

@Gerrrr
Copy link
Contributor

Gerrrr commented Aug 16, 2016

@dadgar @kevincox
Thanks for the feedback. I would like to finish the work and submit 2 PRs (for RPC and Serf) soon.

@kevincox
Copy link

If you need a tester let me know. I'll try to spin up a cluster.

@c4milo
Copy link
Contributor

c4milo commented Dec 22, 2016

should this issue be closed now that Nomad supports TLS certificates and symmetric encryption for gossiping?

@dadgar
Copy link
Contributor

dadgar commented Jan 3, 2017

@c4milo Yep! Thanks :)

@dadgar dadgar closed this as completed Jan 3, 2017
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

9 participants