Document RBAC set up for ingress key cert protection. #755
Conversation
| @@ -269,6 +269,344 @@ rules. | |||
| curl -I -k https://$INGRESS_HOST/status/200 | |||
| ``` | |||
|
|
|||
| ## Configuring RBAC for ingress key/cert | |||
There was a problem hiding this comment.
The key/cert is only used in above section, would it make more sense to put the new content in that section?
| @@ -269,6 +269,344 @@ rules. | |||
| curl -I -k https://$INGRESS_HOST/status/200 | |||
| ``` | |||
|
|
|||
| ## Configuring RBAC for ingress key/cert | |||
| There are service accounts which can access this ingress key/cert, and the ingress key/cert is not | |||
| encrypted. This leads to risks of leaking key/cert. We can set up Role-Based Access Control ("RBAC") | |||
There was a problem hiding this comment.
This is not accurate. K8s supports encrypted secret already, see here: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ . It would be great if we could update this as well. But maybe in a follow up PR.
There was a problem hiding this comment.
Thanks for pointing that out. I didn't know that we can encrypt secret. I will document encrypting secrets in a follow up PR.
| istio-ingress-service-account. We need to update or replace these RBAC set up to only allow | ||
| istio-ingress-service-account to access ingress key/cert. | ||
|
|
||
| 1. Update RBAC set up for istio-pilot-service-account and istio-mixer-istio-service-account. |
There was a problem hiding this comment.
Please help to keep the new content succinct and only display things of interest.
There was a problem hiding this comment.
I have made the content shorter now.
| ``` | ||
| This produces the following output: | ||
|
|
||
| ```bash |
There was a problem hiding this comment.
We don't have to display everything, please focus on ingress related one.
| metadata: | ||
| name: istio-pilot-mixer-istio-system | ||
| rules: | ||
| - apiGroups: [""] # "" indicates the core API group |
There was a problem hiding this comment.
Same here and below. Please avoid showing unrelated content.
JimmyCYJ
force-pushed
the
rbac-ingress-key-cert
branch
from
3228b41 to
bd00f69
Compare
|
I have revised the document, please take a look. Thanks. |
| ```bash | ||
| kubectl delete ClusterRoleBinding istio-pilot-admin-role-binding-istio-system | ||
| kubectl delete ClusterRoleBinding istio-mixer-admin-role-binding-istio-system | ||
| kubectl delete ClusterRole istio-mixer-istio-system |
There was a problem hiding this comment.
Is there a similar role for istio-pilot-istio-system?
There was a problem hiding this comment.
Is there any way to recover the deletion here at the end of this file? The idea is to clean up the change in this file after everything is done.
There was a problem hiding this comment.
And what privileges will pilot/mixer lose after this change? I am afraid this will break existing system. Let me add some pilot and mixer guy.
There was a problem hiding this comment.
istio-pilot-istio-system is also bound to account istio-ingress-service-account by istio-ingress-admin-role-binding-istio-system. We will delete istio-pilot-istio-system in next step, after deleting that ClusterRoleBinding object.
According to https://github.com/istio/istio/blob/11dc2fb937a23157215fffa06921cf507d27f757/install/kubernetes/istio.yaml#L22
istio-pilot-istio-system grants access permission to many resources. We need to bind those rules to istio-pilot-service-account. We should apply similar role binding process to account istio-mixer-service-account and istio-ca-service-account
| NAME TYPE DATA AGE | ||
| istio-ca-secret istio.io/ca-root 2 7d | ||
| istio-ingress-certs kubernetes.io/tls 2 7d | ||
| istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-token 3 7d |
There was a problem hiding this comment.
Can we remove this one as well? And istio-ca-secret?
| rules: | ||
| - apiGroups: [""] # "" indicates the core API group | ||
| resources: ["secrets"] | ||
| resourceNames: ["istio-ca-service-account-token-rl4xm"] |
There was a problem hiding this comment.
It seems quite dangerous to hard-code names with randomized tokens (rl4xm).
There was a problem hiding this comment.
This is a kubernetes.io/service-account-token, and it is removed.
| namespace: istio-system | ||
| - kind: ServiceAccount | ||
| name: istio-mixer-service-account | ||
| namespace: istio-system |
There was a problem hiding this comment.
So we're binding the same role to both mixer SA and pilot SA. Is this desirable? IIRC mixer and pilot need different permissions.
There was a problem hiding this comment.
Yes, they need different permissions. I have create separate ClusterRoles for each of them.
| ``` | ||
|
|
||
| Create istio-pilot-mixer-istio-system.yaml, which allows istio-pilot-service-account and | ||
| istio-mixer-service-account to read all kubernetes.io/service-account-token, |
There was a problem hiding this comment.
I don't think anyone needs to read kubernetes.io/service-account-token, no?
There was a problem hiding this comment.
Agree. That line is removed.
|
can we move this forward, it's been open a while ? (and there is a conflict to be resolved now too) |
|
Sure, I will update this PR. |
|
ping ? |
|
Sorry I was working on other stuff, will update this PR soon. |
| @@ -214,11 +214,6 @@ The following are the known limitations of Istio ingress: | |||
| kubectl get ingress secure-ingress -o wide | |||
| ``` | |||
|
|
|||
| ```bash | |||
| NAME HOSTS ADDRESS PORTS AGE | |||
| secure-ingress * 130.211.10.121 80 1d | |||
There was a problem hiding this comment.
why is this sample output removed?
There was a problem hiding this comment.
That part is added back. Thanks.
There was a problem hiding this comment.
This PR is for the ingress controller task only. Maybe we can update the installation with a more general solution in future work?
JimmyCYJ
force-pushed
the
rbac-ingress-key-cert
branch
from
ea6c3b3 to
5795f37
Compare
|
Please validate it before submission. Thanks for working on this, Jimmy. |
Which issue this PR fixes: fixes istio/old_auth_repo#313