Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration #3762

Open
randomvariable opened this issue Oct 7, 2020 · 15 comments
Open

Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration #3762

randomvariable opened this issue Oct 7, 2020 · 15 comments
Labels
area/security Issues or PRs related to security help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/security Categorizes an issue or PR as relevant to SIG Security. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@randomvariable
Copy link
Member

User Story

As a security operator, I want to ensure developers who have access to create MachineDeployments are not able to gain access to data for workloads on a cluster they are not supposed to.

Detailed Description

kubeadm bootstrap tokens allow registration as arbitrary node names. GCP, EKS and Kops provide mechanisms to attest to the identity of a node such that they do not inadvertently get access to secrets and volumes not intended for that node. Provide a mechanism to resolve.

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

/kind feature
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 7, 2020
@vincepri
Copy link
Member

vincepri commented Oct 7, 2020

/milestone Next

To be determined if we can get this in v1alpha4

@k8s-ci-robot k8s-ci-robot added this to the Next milestone Oct 7, 2020
This was referenced Oct 16, 2020
Closed
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 5, 2021
@vincepri
Copy link
Member

vincepri commented Jan 5, 2021

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 5, 2021
@randomvariable
Copy link
Member Author

I know we don't have a label for it, but just for tracking

/area node-agent

@k8s-ci-robot
Copy link
Contributor

@randomvariable: The label(s) area/node-agent cannot be applied, because the repository doesn't have them

In response to this:

I know we don't have a label for it, but just for tracking

/area node-agent

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@neolit123
Copy link
Member

node-agent

just wanted to note that k8s docs address the kubelet as the "primary node agent":

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

The kubelet is the primary "node agent" that runs on each node

but if this is a "CAPI node agent" people are likely not going to be that confused.

@vincepri
Copy link
Member

@neolit123 Yes it's a Cluster API Node Agent :)

@arianvp
Copy link

arianvp commented May 31, 2021

Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )

@fabriziopandini
Copy link
Member

Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )

@randomvariable @yastij
In the proposal recently merged https://github.com/kubernetes-sigs/cluster-api/blob/master/docs/proposals/20210222-kubelet-authentication.md#spirespiffe there was a session explaining why SPIFFIE alternative was not selected.

@arianvp
Copy link

arianvp commented May 31, 2021
edited
Loading

Thanks for the link to the proposal. This looks very interesting.

@sbueringer sbueringer mentioned this issue Apr 26, 2022
Merged
@PushkarJ
Copy link
Member

/area security
/sig security
/retitle Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration
(Feel free to retitle again, I am trying to update it with security self-assessment issue naming convention.)

@k8s-ci-robot k8s-ci-robot changed the title Machine attestation for secure kubelet registration Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration May 13, 2022
@k8s-ci-robot k8s-ci-robot added area/security Issues or PRs related to security sig/security Categorizes an issue or PR as relevant to SIG Security. labels May 13, 2022
@fabriziopandini fabriziopandini added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@fabriziopandini fabriziopandini removed this from the Next milestone Jul 29, 2022
@fabriziopandini fabriziopandini removed the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@fabriziopandini
Copy link
Member

/triage accepted
/help

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/triage accepted
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Sep 30, 2022
@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Jan 19, 2024
@fabriziopandini
Copy link
Member

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 12, 2024
@fabriziopandini fabriziopandini added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed priority/backlog Higher priority than priority/awaiting-more-evidence. labels Apr 22, 2024
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 22, 2024
@fabriziopandini fabriziopandini removed the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Issues or PRs related to security help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/security Categorizes an issue or PR as relevant to SIG Security. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@neolit123 @arianvp @randomvariable @vincepri @PushkarJ @fabriziopandini @k8s-ci-robot @fejta-bot @k8s-triage-robot