Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-v3.23] Auto pick #5910: Use TokenRequest API instead of calico-nodes service account #6218

Conversation

caseydavenport
Copy link
Member

@caseydavenport caseydavenport commented Jun 13, 2022

Cherry pick of #5910 on release-v3.23.

#5910: Use TokenRequest API instead of calico-nodes service account

Original PR Body below

Description

Use TokenRequest API instead of calico-nodes service account token for CNI kubeconfig.

With projected service account tokens in kubernetes, the service account tokens of pods
are bound to the lifetime of the corresponding pod. Therefore, it may lead to problems
if an external process re-uses the token of a pod.
The CNI binaries used the token of calico-node. However, in case calico-node got stopped
the corresponding token lost its validity and hence could no longer be used for CNI
operations. Usually, this automatically resolves over time, but there are some edge cases
where this is not possible, e.g. if calico-node is autoscaled in terms of resources and
the new resource requests would require preemption/eviction of an existing pod the CNI
operation to delete the network sandbox will fail due to the no longer valid token
(as calico-node was stopped beforehand).
This change switches over to using the TokenRequest API instead, i.e. creating new
tokens with limited validity. It would have been good to bind the token to an object,
e.g. to the corresponding node, but as of now only secret and pod are supported types
for binding tokens. Hence, the tokens are only limited in time and not bound to any
other kubernetes object.

Related issues/PRs

fixes #4857
fixes #5712

Todos

  • Tests
  • Documentation
  • Release note

Release Note

Calico now uses the TokenRequest API to generate and refresh a token for the CNI plugin.  This ensures that the token remains valid even when the calico-node daemonset is restarted. (@[ScheererJ](https://github.com/ScheererJ))

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

…r CNI kubeconfig.

With projected service account tokens in kubernetes, the service account tokens of pods
are bound to the lifetime of the corresponding pod. Therefore, it may lead to problems
if an external process re-uses the token of a pod.
The CNI binaries used the token of calico-node. However, in case calico-node got stopped
the corresponding token lost its validity and hence could no longer be used for CNI
operations. Usually, this automatically resolves over time, but there are some edge cases
where this is not possible, e.g. if calico-node is autoscaled in terms of resources and
the new resource requests would require preemption/eviction of an existing pod the CNI
operation to delete the network sandbox will fail due to the no longer valid token
(as calico-node was stopped beforehand).
This change switches over to using the TokenRequest API instead, i.e. creating new
tokens with limited validity. It would have been good to bind the token to an object,
e.g. to the corresponding node, but as of now only secret and pod are supported types
for binding tokens. Hence, the tokens are only limited in time and not bound to any
other kubernetes object.
@caseydavenport caseydavenport requested a review from a team as a code owner June 13, 2022 23:09
@caseydavenport caseydavenport added docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small) labels Jun 13, 2022
@netlify
Copy link

netlify bot commented Jun 13, 2022

Deploy Preview for calico-tigera ready!

Name Link
🔨 Latest commit 34e7fec
🔍 Latest deploy log https://app.netlify.com/sites/calico-tigera/deploys/62a7c39d8d1b4f0009d984ce
😎 Deploy Preview https://deploy-preview-6218--calico-tigera.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@marvin-tigera marvin-tigera added this to the Calico v3.23.2 milestone Jun 13, 2022
@netlify
Copy link

netlify bot commented Jun 13, 2022

Deploy Preview for calico-v3-23 ready!

Name Link
🔨 Latest commit 34e7fec
🔍 Latest deploy log https://app.netlify.com/sites/calico-v3-23/deploys/62a7c39d16797600084bd266
😎 Deploy Preview https://deploy-preview-6218--calico-v3-23.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@caseydavenport caseydavenport merged commit c2cfc74 into projectcalico:release-v3.23 Jun 14, 2022
@caseydavenport caseydavenport deleted the auto-pick-of-#5910-origin-release-v3.23 branch June 14, 2022 17:29
resources:
- serviceaccounts/token
resourceNames:
- calico-node
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the role containing this rule is also bound to the calico-node service account, it allows calico-node to mint tokens for calico-node. This creates a potential security issue where an attacker could steal a token and prevent their access from ever expiring by sending periodic TokenRequests for the same service account whose token they stole. Instead, it would be better to grant calico-node permission to request tokens for a separate service account that the CNI is intended to run as. For example, grant calico-node permission to mint tokens for a calico-node-cni service account, and grant calico-node-cni the permissions that the CNI needs. That way, no tokens have the ability to self-perpetuate.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I agree. I hadn't spotted this particular issue but already have a ticket tracking this enhancement for other reasons as well: #5921

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants