Skip to content

Latest commit

 

History

History
679 lines (547 loc) · 41.2 KB

meeting-notes-2018.md

File metadata and controls

679 lines (547 loc) · 41.2 KB

Kubernetes Sig-auth Meeting Agenda

December 26, 2018, 11a - Noon (Pacific Time)

  • Canceled for holidays

December 12, 2018, 11a - Noon (Pacific Time)

November 28, 2018, 11a - Noon (Pacific Time)

November 14, 2018, 11a - Noon (Pacific Time)

  • Canceled due to kubecon china and code freeze

October 31, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • Code freeze November 15th (middle of kubecon China)
  • Demos
  • Pulls of note
    • .
  • Designs of note
    • .
  • Discussion topics
    • [klizhentas] Discuss CSR API promotion out of beta kubernetes/kubernetes#69836
      • API shape/issues
        • Requires requesters to know all the info about the end certificate
        • Use for higher-level requests ("give me a node client cert", "give me a serving cert for a pod backing a service")
      • Approval flow/issues
        • Cannot limit or add components to request (limit or add SANs, usages, etc)
      • Signing flow/issues
        • Method for multiple signers to interact (or approver to indicate what signer should be used)
      • Guarantees on issued certificates
        • No (current) guarantee all requested extensions/SANs are issued
        • No (current) guarantee issued client certificates will be accepted as API client certs
    • [liggitt] node self-labeling resolution
      • NodeRestriction limits self-labeling under kubernetes.io and k8s.io
    • [mikedanese] moving service account token secret mounts to projected volumes
      • Breaks in the presence of PSPs that only allow secret volumes
      • Ugly options:
        • Change PSP to allow projected volumes if secret volumes are allowed
      • Discussion in #69848
  • Action items
    • [Mike] CSR ?

October 17, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • s/@liggitt/@enj/ in sig-auth chairs (thread, PR)
  • Pulls of note
    • NodeRestriction prevents node label updates (#68267)
      • Preference for well-known labels and prefixes (zero-config)
        • Will try to reconcile with proposed approach for CSI labels
      • Will start thread with sig-node/storage/auth
      • Possible that adding arbitrary labels on node create (kubelet --node-labels flag) could still be allowed
        • Depends on nodes not being able to delete themselves
        • Assumes a new node isn't compromised
        • Alternative could be to taint nodes that register with unknown labels
        • Might be useful to survey use of kubelet --node-labels flag
    • authenticator interface change (#69582)
      • Plumbs context to allow cancelation of backend webhook token authn
      • Add Response which includes Audience (expected audience of authn, needed for token review of non-api server audiences) and user.Info
      • Old servers will ignore audience and hence not validate (so client side validation will be required for some time)
    • Migrate service account volume to a projected volume (#69848)
      • Requires kubelets 1.6 or newer
      • Concerns around the implicit API for SA token secret (contains both the token and the CA data, but we would like not to include the CA data and instead have a config map in the namespace/combining the data using a projected volume)
      • AI: communicate that users that want to obtain service account credentials for use outside of pods should do so explicitly with a dedicated secret
      • AI: put together roadmap for:
        • making it possible to stop auto-generating token secrets
          • measure impact to kube/e2e/conformance as a sample of the issued users will encounter
        • timeline for enabling that option by default
        • timeline for removing the option to auto-generate token secrets
  • Designs of note
  • Discussion topics
    • Seeding TL thread
    • Need sub projects to merge, update owner files, and pick initial technical leads based on owner files
    • Subproject PR - #2525

October 3, 2018, 11a - Noon (Pacific Time)

  • Recording

  • Announcements

    • [liggitt] Kubernetes Third-Party Security Audit Team Formation (link)
    • [liggitt] Proposed sig-auth chair change (thread)
    • [aishs] Update on k8s 1.13 timeline and discuss feature load

    Features in 1.13 (from 1.12)

    *   1. [600: Dynamic Audit Configuration](https://github.com/kubernetes/features/issues/600) - pbarker
*   2. [22: API Audit Logging](https://github.com/kubernetes/features/issues/22) - tallclair
*   3. [542: TokenRequest API and Kubelet integration](https://github.com/kubernetes/features/issues/542) - mikedanese

  • Pulls of note *

  • Discussion topics

    • [pbarker] discuss changes to dynamic audit api #2738
    • [enj] Should we allow admins/editors in a namespace to create events in that namespace (change default RBAC policy)?
      • Audit is the system of record now (so the creation of fake events is less dangerous / they are not trusted sources of cluster information)
      • Events are still useful for debugging
        • Namespace scoped controller can use them to report failures
          • Makes it easier to test on a cluster with limited access
        • CI system could emit events to show progress or failures
      • Users could falsely trust events made by a malicious party

September 19, 2018, 11a - Noon (Pacific Time)

September 5, 2018, 11a - Noon (Pacific Time)

  • Cancelled, no agenda items, release is closing out

August 22, 2018, 11a - Noon (Pacific Time)

August 08, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • HashiCorp Vault KMS provider - repo. Feedback welcome.
    • Audit event type promotion to v1 - #65891
  • Pulls of note
  • Discussion
    • Container-level service account: kubernetes/community#2497
      • Concern: pod is the security boundary, separating permissions at the container level could create some unexpected attack vectors
      • Useful for auditing
    • Kubelet TLS Bootstrap GA kubernetes/features#43
      • client bootstrap flow to GA in 1.12
      • client rotation stays in beta in 1.12
      • server rotation promoted to beta in 1.12 (kubelet-only, must bring own approver)
      • CSR API is still v1beta1. Some potential improvements desired before v1:
        • approver has input to add/remove/modify the cert that is signed
        • signing profiles
        • integration to produce certs with service DNS names as SANs

July 25, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • (kksriram) Reviewing the Vault KMS provider with HashiCorp this week. Goal is to make repo public this week.
    • feature freeze is 7/31... be sure there are issues filed in kubernetes/features for feature work targeted at 1.12 by then
      • Please check milestone labels are correct for v1.12
      • sig-auth features
      • Also if somebody might prune out anything that's there which is old/stale or done / not going to be done, that would be awesome. A lot of open 2016 and 2017 stuff for sig/auth.
  • Discussion
    • Discuss addition of dynamic policy to audit kep #2407 *
    • Question for KEP process (take to sig-arch?)
      • How do evolutions/additions to an accepted/implementable KEP fit with the provisional/implementable bit?

July 11, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Discussion
    • plan for secrets (@mayakacz, @immutableT)
    • Improvements made:
      • 1.7 - kubelet doesn't have access to arbitrary secrets when using the Node authorizer and NodeRestriction admission plugin (on by default in kubeadm and kube-up deployments)
      • 1.7 - encryption at rest added in alpha state
      • 1.10 - KMS extension point added in alpha state
      • 1.11 - authorization of watches of individual secrets now possible (no longer require global watch authorization for controllers that only need particular secrets)
    • Next steps?

June 27, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • New sig-auth chair
    • New zoom meeting link (will update calendar and the link in this document)
  • Demos
  • Pulls of note
  • Discussion
    • Authorization length limits (@tallclair) - Do we want to support abusing the authorization interfaces for things completely unrelated to Kubernetes? For instance, many resources have a 253 character limit on names, but SubjectAccessReviews allow arbitrarily large values for name, resource, subresource, verb.
      • What would the authorizer's response be if an API URL with a name segment longer than 253 chars was accessed?
      • @tallclair will open issue proposing abuse limit (~8k, etc)
        • Should detail behavior at each level if things that exceed that limit are presented
      • Authorization layer is intentionally agnostic toward meaning of resource/subresource
    • 1.12 planning/discussion deferred to next meeting because of 1.11 wrap-up

June 13, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
  • Demos *
  • Pulls of note *
  • Discussion
    • Last call for chair nominations to fill Eric's spot
      • If you are interested in this role (or would like to recommend someone), please send Tim and Jordan an email at with references to existing contributions.
      • Hope to recommend a candidate and solicit feedback from the SIG by June 15th
    • Bound Service Account Tokens use case for dynamic webhook configuration (@mattmoyer/@pbarker)
      • Possible to fetch/use audience-scoped tokens for use with webhooks?
      • How we determine the audience is questionable
      • Token could be fetched/requested, or injected
    • Further discussion on dynamic audit configuration #2188 (@pbarker)
      • Static, non-overrideable flag-based config (what we have today)
      • Dynamic configs (namespaced and cluster-scoped? Harmonize with other policy approaches - scheduling, etc. More discussion in wg-policy)
    • Node agents want to add taints to themselves (@mikedanese)
      • jordan's preferred solutions
      • Opinion: "Conditions are unnecessary indirections; well known key prefix is hard since there will be vendor specific taints; updating node controller is hard but is probably equivalent to updating the admission controller"
      • We need this for k8s-node-termination-handler
    • How do we track subproject efforts? (@mikedanese)
    • Quick note: deficiencies of CSI as it relates to pod identity
    • Next meeting: 1.12 plans
      • Mike: make umbrella issue for tokenrequest work
      • Jordan: make umbrella issue for node restriction work
      • @x13n: make umbrella issue for audit work
      • <add your planned work items/areas here for discussion>

May 30, 2018, 11a - Noon (Pacific Time)

May 16, 2018, 11a - Noon (Pacific Time)

May 2, 2018, 11a - Noon (Pacific Time)

  • Meeting cancelled

April 18, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • sig-auth status update @ contributor summit - draft [tallclair]
  • Pulls of note
    • No new significant pulls, previously mentioned work is still ongoing
  • Designs of note
    • Security Profiles [yisui]
      • Unified description of startup options (consumable by installers or manually)
      • cluster-level policy (applied at setup or at profile change)
      • namespace policy (continuously applied)
    • Update on ServiceAccountTokenVolumeProjection [mikedanese]
      • Presented to sig-storage
      • Working through "public" configmap volume source ACL
  • Discussion
    • Governance proposal
      • Lays out three leadership roles (chair, tech lead, subproject owner)
      • Tech lead and subproject owner roles were made distinct to think through which responsibilities belonged where, even though initially, the same people might be filling both roles
      • Defines sig-auth membership (contributors to a subproject or sig health area, docs, tests, etc), for purposes of voting if needed
      • Minimal comments on doc, will send out call for lazy consensus to mailing list
    • Subprojects (must be a member of the sig-auth google group to view)
      • Will convert to community PR and send out to mailing list for comments (and to ensure identified subproject owners agree they are responsible for those areas)
    • Guidelines for node-level plugin auth [tallclair]

April 4, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • Calendar invite updated
  • Demo
    • citadel @enj @npmccallum: Turn an arbitrary command into a KMS GRPC server (~5 to 10 minutes)
      • Feedback would be greatly appreciated
      • Many systems you would want to integrate with don't use gRPC
      • Citadel implements the gRPC service, then fetches the key encryption key from the external KMS
      • TODO: measure performance
  • Pulls of note
    • scheduling policy (@tallclair)
      • Questions about what policy should look like inside of Kubernetes
        • How policies are composed, defaulting, binding, etc…
      • Next policy we need to add as in tree policy
      • Conversations in policy-wg
      • On a related note, PodRestriction won't go forward
    • Removing node.ExternalID (@mikedanese) * kubernetes/kubernetes#60692 * kubernetes/kubernetes#61877 * Removes the need for kubelets to self-delete their Node objects \o/ * Field is replaced with instanceID field
      • Mutable, so kubelets never need delete/recreate to change
      • Use as source-of-truth vs cloud-provider lookup optimization is being debated in other PRs
  • Designs of note
    • Kubelet TLS bootstrap via TPM (@awly)
      • Data placed in CSR objects is not guaranteed to be confidential, need to be careful to ensure it is tightly bound to the specific CSR
        • CSR attestation data doesn't have sensitive information. Even if CSR or final approved cert are leaked, they are useless without corresponding private key.
      • Related to TLS client cert support for exec plugin: kubernetes/kubernetes#61803
        • How would we make this support non-exportable keys?
        • Would adding non-exportable key support overload the exec plugin interface? What performance expectations do we have from TLS handshakes?
    • service account token volumes (@mikedanese)
      • Open question: how to get the CA cert to the volume?
        • Possibly use kube-public namespace?
  • Discussion

March 21, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Demo
    • https://github.com/CaoShuFeng/k8s-audit-collector
      • Some comments about use of service account
        • Exporting SA token and using it for user-auth seems like an anti-pattern we should discourage. Where you can't distinguish code taking actions with a credential from users taking actions it complicates access control, auditing, and incident response when evaluating damage of a lost/stolen credential.
        • Users should only assume service account identities during debugging. Can be achieved without service account credentials using ActAs delegation.
      • Lack of guidance here?
        • Action item: write this up!
  • Designs of note
    • PodRestriction (@tallclair)
      • Whitelist and blacklist type of restrictions only.
      • Scheduling piece of this yet to be decided.
      • Enforced at namespace level.
      • Feedback requested on BindingMode behaviour.
      • Overlap with policy wg and opa
      • How does lack of defaulting working with pods that express no opinion?
        • Handled through something like pod presets
      • TODO: sig-scheduling and policy-wg
    • [Update] kubernetes/community#911 reduce scope of node on taints/labels (sig-node)
      • Deferring work on moving reporting of node address
  • Discussion
    • SIG contribx presentation (Paris Pittman)
      • Feedback wanted
      • Defining bot commands and labels
        • How are you using them? Are you using them?
        • Help wanted issue and beginner issues
        • How do you find out about these changes?
      • Contributor and developer guide
        • Please review
      • Suggestions for mentoring
    • Formalizing feature tracking for 1.11 (@ericchiang)
      • Many features were in an unclear state over 1.10
        • Not just alpha/beta/stable, but what work there was to do, what work had been done
      • Considering encouraging more umbrella bugs like #60392
      • Subprojects

March 7, 2018, 11a - Noon (Pacific Time)

  • NO SIG AUTH (busy with release)
  • Announcements
    • SIG-auth presenting at the Kubernetes community meeting

February 21, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • 1.10 code freeze is 2/26
      • Time to make progress on stalled PRs/designs if desired for 1.10
  • Pulls of note
  • Designs of note
  • Needs Review
    • Documenting the KMS encryption provider (Issue, PR).
    • 10 sig/auth PRs in the v1.10 milestone (PRs)
  • Discussion
    • Container Isolation (@tallclair)
      • Great that this is separated from individual implementations
      • Goal is to have some sort of way to expressing a workload running in a VM
      • Questions about boundary being the container or the pod. Will be expressed as different APIs. (similar to kubernetes#55435)
    • Kubernetes bug-bounty program (Maya Kaczorowski)
      • Warnings about spam
      • Questions about cross-team coordination
        • Need to give the other SIGs the heads up
        • Don't do it before freeze
      • Current triage
        • Whoever responds first becomes the owner
        • Explicit rotation
        • Fix and release process
        • Requires adjustments
      • How do we handle scope?
        • Conformance
        • Questions around plugins
      • Out of scope
        • Outside of Kubernetes org
        • What's in the Kubernetes incubator?
      • Want to be programmatic about the scope
        • We have descriptions about hardening, but not actual tests
      • Start very narrow to start
        • E.g. only in core, no plugins
      • Note: someone to take over the threat model doc #504
      • Action items:
        • Funding
        • Working with other SIGs
        • Owners

February 7, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Announcements
    • 1.10 code freeze is 2/26
      • Time to make progress on stalled PRs/designs if desired for 1.10
  • Pulls of note
  • Designs of note
  • Needs Review
    • gRPC KMS extension point implementation (#55684)
      • Last call for comments this week
      • External Google implementation in progress
      • External Vault implementation in progress
    • External client-go credential providers (#59495)
      • Last call for comments this week
      • Coordinate with api-machinery / Chao as client-go owner
  • Discussion
  • sig lead change * David Eads (@deads2k, Red Hat) stepping down as sig lead * Tim Allclair (@tallclair, Google) nominated as replacement * Long-term contributor to k8s auth/security * Helped drive pod security policy and audit features * Member of kubernetes product security committee * Brings container/node security expertise * Unanimous support from other leads (Jordan Liggitt, Red Hat; Eric Chiang, CoreOS) * Feedback on the change welcome (either public or private) * Lead change to regain some company diversity was desired before starting to work through defining sig membership, subprojects, tech leads, etc, etc
  • Discuss the sig governance template PR (not merged, but fairly complete) as it applies to sig-auth: * Do we want to split out roles for sig-auth as proposed in the PR: project lead (needs a better name) that is organizational and helps set strategic direction and tech lead (heavy code, design architecture focus). * How many of each role? * Organizational diversity: after the acquisition of coreos all our current sig-auth leads work at the same company. * Agreement that there is value in documenting functional areas sig-auth is involved in, and the people responsible for them * Agreement that having people focused on strategic direction is valuable (complementing per-release work item planning)

January 24, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Pulls of note
  • Designs of note
  • Needs review:
    • gRPC KMS versioning (#55684)
    • Introduce podsecuritypolicy.admission.k8s.io/v1beta1 #54933
  • Discussion:
    • Status on the client-go auth provider proposal. - community#1503
      • Open questions:
        • Format of client-go <-> plugin communications
        • Call patterns (cache in memory, on 401 or expiry re-call)
    • Should Audit Logging API go to v1 in 1.10? [@destijl, @crassirostris, @tallclair]
    • [enj] Thoughts on a subject rules review API (in relation to the current self subject rules review API)
      • Use case being "can x do all of [a, b, c]" or "is x an admin in namespace foo"
      • Granted it would be nicer to just ask the server to do the coverage check as well
      • Intent of SSRR API was advisory, not for externalizing policy rules for external authoritative evaluation
      • Still building out authorizer support (webhook, node)
      • Still need to reconcile with explicit deny support
      • Existing PR to express explicit deny in SelfSubjectRulesReview #53922
    • Status of TokenRequest proposal kubernetes/community#1460
      • Expressing request for expiring vs non-expiring token
      • Version of subresource (v1 vs v1alpha1)
    • Reducing scope of node on node actions community#911
      • Current proposal to use initializers (fate of initializers unclear)
      • Could have the approver (or signer) be cloud aware
        • If signer can fill in SANs, then client doesn't need as much access to figure out its requested SANs.

January 10, 2018, 11a - Noon (Pacific Time)

  • Recording
  • Pulls of note
  • Designs of note
  • Needs review: *
  • Discussion:
    • Kubelet TLS bootstrapping - GA in 1.10? - features#43 (@mattmoyer)
      • Note(@ericchiang): some open questions here: kubernetes#57164
      • Client bootstrapping
        • Could interact with client-go auth provider, obtain bootstrap credential externally
      • Client rotation
        • Still have a lot of logic baked into the kubelet, makes it difficult to take advantage of platform-specific CSR-informing features
      • Server bootstrapping
        • Blocked on self-reported node address trustworthiness (API-enabling work in 1.10 - @liggitt)
        • Requires refactor of kubelet startup flow and triggers of serving cert updates
          • Question: externalize and make the kubelet pick up certs from disk?
    • Idea for K8s vulnerability reward program [@destijl]
      • Needs well-defined setup/config demonstrating current best practices
      • Define boundaries well
      • Initial spike of activity/responses needed
      • Funnel into existing security process, use as impetus to make process and timeframes better defined
      • Ongoing commitment for new releases, responding with fixes (cross-sig)
      • Long-term, could inform other CNCF projects
    • Cross-authorizer RBAC escalation check - #56358 (@liggitt)
      • Will rethink as specific escalate query rather than superuser subject access review (parallel to bind check)
    • TokenRequest and key rotation [@mikedanese]
      • Current tokens are non-expiring, but bound to service account and secret objects (by embedded uid claims)
      • How to encourage applications to expect/support rotation
        • Client-go/in-cluster-config libraries support rotation
      • Option: separate signing keys for expiring/non-expiring
      • Limits on token lifetime - min of:
        • Requester expiration time (if specified)
        • Admin-specified max time (if specified)
        • Deletion of bound object (pod, secret, service account, etc)