-
Notifications
You must be signed in to change notification settings - Fork 450
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace usage of static client credentials for components running in seed talking to the shoot API server #4661
Closed
35 tasks done
Tracked by
#4878
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
priority/2
Priority (lower number equals higher priority)
roadmap/cloud
Roadmap for the (managed) cloud delivery, i.e. gardener.cloud.sap
Milestone
Comments
gardener-robot
added
area/security
Security related
priority/2
Priority (lower number equals higher priority)
labels
Sep 14, 2021
rfranzke
added
the
roadmap/cloud
Roadmap for the (managed) cloud delivery, i.e. gardener.cloud.sap
label
Sep 14, 2021
rfranzke
changed the title
Replace usage of static
Replace usage of static client certificates for components running in seed talking to the shoot API server
Sep 14, 2021
ServiceAccount
tokens for components running in seed talking to the shoot API server
/assign @BeckerMax @rfranzke |
This was referenced Oct 5, 2021
18 tasks
This was referenced Nov 14, 2021
This was referenced Nov 29, 2021
This was referenced Dec 6, 2021
rfranzke
changed the title
Replace usage of static client certificates for components running in seed talking to the shoot API server
Replace usage of static client credentials for components running in seed talking to the shoot API server
Dec 8, 2021
This was referenced Dec 13, 2021
@jia-jerry There are already other, probably more detailed pics in the docs: https://github.com/gardener/gardener/blob/master/docs/concepts/resource-manager.md#tokenrequestor |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
priority/2
Priority (lower number equals higher priority)
roadmap/cloud
Roadmap for the (managed) cloud delivery, i.e. gardener.cloud.sap
How to categorize this issue?
/area security
/kind enhancement
/priority 2
What would you like to be added:
Today, all of the components running in the seed clusters and talking to the shoot's API server use a kubeconfig with a static client certificate issued by the cluster's certificate authority (example).
Instead, let's start using similar concepts compared to projected
ServiceAccount
tokens supported since Kubernetes v1.12.Concretely, we have to use the
TokenRequest
API of the shoot's API server to issue short-lived tokens for the respective components.The tokens should be stored in dedicated
Secret
s in the shoot namespace in the seed cluster so that they can be mounted to the respectivePod
s.Similar to how the kubelet issues a new token when the lifetime reaches 80%, we should refresh such tokens regularly and update them in the respective
Secret
s in the seed.This also allows us to use the same kubeconfig for all components which plays well together with what is proposed in #3598.
Also, it helps reducing the load of the Garden cluster since no client certificates/kubeconfigs would be generated anymore for such components, hence, reducing the size of the
ShootState
and also the size of the etcd backup.For example, the following kubeconfig could be generated by gardenlet and stored in the
kubeconfig
Secret
in the shoot namespace:Also, let's say the short-lived token was stored in the
some-component-shoot-token
Secret
in the shot namespace:Then the
PodSpec
would look as follows:Why is this needed:
In order to eliminate static credentials requiring costly manual rotation which doesn't scale.
Projected
ServiceAccount
tokens can be configured withexpirationSeconds
and are regularly auto-rotated and re-mounted by the kubelet without further do.Clients are expected to regularly reload the token, however, the
client-go
supports reloading the tokens specified intokenFile
s sincev10.0.0
, (see kubernetes/kubernetes#70606), and most of the components are either already using this version or could be updated.Target Picture:
New in this picture is: Secret with short-lived token. Also the pod spec is adapted to mount the token and the component-kubeconfig points to the mounted
tokenFile
.In the Shoot the ServiceAccount needs to be added and referenced by the existing rolebinding.
Open Questions:
audiences
. We are currently unsure what this field does.Tasks:
Prepare
gardener-resource-manager
ServiceAccount
token invalidator #4817ServiceAccount
token requestor controller #4867TokenRequestor
to be able to sync tokens to aSecret
in the target cluster #5084Adapt
gardener/gardener
componentsTokenRequestor
and eliminate client certificate forkube-scheduler
#4931kube-controller-manager
andcluster-autoscaler
#5007kube-state-metrics
andprometheus
#5008vpa-{admission-controller,recommender,updater}
#5009kube-rbac-proxy
#5010gardenlet
and extension controllers #5012cloud-config-downloader
#5121gardener-resource-manager
#5138promtail
#5153dependency-watchdog-probe
#5685Worker
,ControlPlane
} actuators andterraformer
library for elimination of static credentials #5163Adapt
gardener/gardener-extension-*
componentsshoot-cert-service
: 🛡 Revendorgardener/gardener@v1.39
, update Golang version to1.17
, enableServiceAccount
token projection and token requestor gardener-extension-shoot-cert-service#103shoot-dns-service
: 🛡 Revendorgardener/gardener@v1.39
, update Golang version to1.17
, enableServiceAccount
token projection and token requestor gardener-extension-shoot-dns-service#96shoot-oidc-service
: 🛡 Revendorgardener/gardener@v1.39
, update Golang version to1.17
, enableServiceAccount
token projection gardener-extension-shoot-oidc-service#16provider-alicloud
: 🛡 EnableServiceAccount
token projection and token requestor gardener-extension-provider-alicloud#405provider-aws
: 🛡 EnableServiceAccount
token projection and token requestor gardener-extension-provider-aws#467provider-azure
: 🛡 EnableServiceAccount
token projection and token requestor gardener-extension-provider-azure#421provider-gcp
: 🛡 EnableServiceAccount
token projection and token requestor gardener-extension-provider-gcp#368provider-openstack
: 🛡 EnableServiceAccount
token projection and token requestor gardener-extension-provider-openstack#369provider-vsphere
: 🛡 EnableServiceAccount
token projection and token requestor gardener-attic/gardener-extension-provider-vsphere#192provider-equinix-metal
: 🛡 EnableServiceAccount
token projection and token requestor gardener-extension-provider-equinix-metal#182external-dns-management
: 🛡 EnableServiceAccount
token projection external-dns-management#237The text was updated successfully, but these errors were encountered: