-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GEP: Client Certificate Verification for Gateway Listeners #91
Comments
Is this mTLS? Can you add to the issue title, as that is a commonly known term around the K8S community. |
It is mutual TLS in the sense that the client and the server perform mutual TLS, but 'mTLS' also has some connotations about speed and automation of certificate rotation that we probably don't want to bring in here. I say this because when we had an issue to add 'mTLS' to Contour, people started asking straight away if Contour was now a service mesh. Which it is not. But the term is overloaded. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten #268 should close this. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Adding my comments from Slack regarding some configuration options that would be nice:
The I think this one largely gets at some of the use cases I was describing above: nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca |
It's also important to remember that, if the following are true:
Then you can connect to This is roughly the same thing as domain fronting. |
I wonder if sane defaults plus an "I know I'm doing a dangerous thing" option could help with domain fronting. That is, if your listener is configured in But, if you're in |
@alanchrt you're talking about two modes: one that enforces that Host matches SNI and the other that doesn't, right? We're not terminating TLS vs. passing it through for a backend to terminate? If that's correct, I like the idea but would probably look for different terminology ;). I'm not convinced the non-enforcing mode needs to exist at all. What's the use case for upstreams actually needing to route based on Host header? I'd consider setting the Host header for the upstream request to force it to match SNI. The host header is ignored all the time (e.g., most non-proxy web applications will ignore the host header). In a case like this, I can't think of a way it would ever break non-malicious clients. I don't have as much experience with http/2 so I have no comment on whether this might affect those clients. |
I think per the HTTP2 spec servers are expected to return a 421 here in some scenarios - this allows the browser to automatically retry when its optimizations cause it to not match |
@mmalone Actually, I wasn't trying to suggest Enforcement of SNI host and HTTP As an example of an upstream routing based on This is totally contrived, but imagine they decided they wanted to have cient cert auth on Again, contrived, but I could see scenarios where someone might want it. In the above scenario, they could set |
Fix kustomization.yaml
/reopen |
@arkodg: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/kind gep |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale Since the GEP is still in motion. |
@arkodg are there conformance tests planned? |
thanks for the reminder, let me create a issue to track it |
Doesn't seem like we've had motion on this recently? /remove-lifecycle frozen @arkodg just wanted to check in, did you have any thoughts or a summary update for this one? |
next steps here would be
we're still on 1., afaik, no one has implemented this yet |
Arko if I'm understanding correctly you're actively/planning-on moving this one forward: /priority important-longterm Can you please help us to better understand a rough idea about what you imagine you'll be able to deliver and roughly when you'd like to try for that? Not looking for a promise just trying to get a feel for your capacity and what you're thinking, so we can look at organizing this along the upcoming milestones. |
What would you like to be added:
The ability for a HTTPS (or TLS generally) endpoint to require that the client present a certificate that can be validated according to some configurable policy.
Why is this needed:
As an application developer, I want to restrict access to my application to a certain audience of clients. The audience is defined by one or more of
I want the infrastructure to guarantee that I only receive client traffic that originates from this audience.
/kind user-story
The text was updated successfully, but these errors were encountered: