《presentation.pdf》由会员分享,可在线阅读,更多相关《presentation.pdf(25页珍藏版)》请在三个皮匠报告上搜索。
1、Improving Secure Pod-to-PodCommunication Using Trust Bundles Ted Hahn,Mark Hahn, Mutual TLS-Secure Pod-to-Pod communicationEvery Kubernetes pod should include a SSL Certificate,verifying itsidentity.This should be signed automatically,and be specific to each pod.We have updated KubeTLS to modularize
2、 the certificate creation andimprove the is a TrustBundle?Note:This is a forward looking feature,KEP-3257,that has yet to beimplemented.We want to show some of the possible usecases.A Trust Anchor,or Root of trust,is a cryptographic entity that youtrust implicity.Typically you express this as an X.5
3、09 certificate withthe CA bit set.A Trust Bundle one or more trust anchors combinedtogether,with the same implicit trust.You already use a Trust Bundle-The Web Roots provided by yourBase OS or by your Web Browser.Brief detour-Certificate AuthoritiesHow to use TrustBundles?TrustBundles implment small
4、 scale scope of trustThe Web Trust Bundle is one of the topmost layers of mostdocker imagesDocker Images should be smallClusterTrustBundles can be mounted like ConfigMaps,replacingThe Web Trust BundleRapid Updates to TrustBundlesLimiting Trust ScopeLimiting Trust from KeyNoteWhat is KubeTLSKubeTLS i
5、s about automatically injecting certificates thatprovide workload identity into every pod and every containterin a cluster.These Certificates provide Privacy,Authentication andAuthorization.These Certificates work with TrustBundles to assist in mutual systemidentification.Secure Networking on Kubern
6、etesThe complicated way:Sidecars or CNI with network policiesSidecars add latency,and a management layer separate from theapplicationsNetwork policies add that management layer separate from theapplicationsThe native way:All application containers natively support TLSApplications are in charge of se
7、curityApplications implement business specific security logicKubeTLS assists with implementingTLS EverywhereUsing TLS natively everywhere eliminates various attack vectorsby encrypting all traffic inside the applcation:Privacy is provided by TLSAuthentication is provided by mTLS using the TrustBundl
8、e.Authorization is provided by inspection of the client providedcertificate.Unpacking what is KubeTLSKubeTLS is an admission controller usingMutatingWebhookConfiguration object.KubeTLS provides three files by modifying the pod on admission-A Private KeyA Matching Certificate,signed by our trust bund
9、leThe trust bundle itself(since KEP-3257 is TBD)These are the building blocks of a TLS native architecture.Our opinionsWe have strong opinions on TLSYour applications should speak only TLSYour internal applications should not use the web root of trustYour need to design your organizations zones of t
10、rustYour internal applications should use an internal CAYour applications should present a client certificateYou should validate the client certificate as caller identityWhat not to doOur OpinionInternal API ServerKubeTLS Certificate DistributionOur Opinion on Partner TrustKubeTLS Certificate Creati
11、on DetailsWhen a pod is created KubeTLSs admission controller is calledKubeTLS looks up containers service(via metadata)KubeTLS will create and approve a certificate signing request(csr)The certificate manager will do magic to create a certKubeTLS creates a secret with:private key,the service cert,t
12、he root CA certKubeTLS attaches the secret to all containers in the podKubeTLS responds to the pod adminssion web callKubeTLS X.509 Key FieldsCommon NameName of the podSubject Alternative Name(SAN)DNS with the name of the servicesURI with the SPIFFE SVIDKey usage and extended key usageIdentified as
13、Web server and clientIssuer(aka signer)identificationDemo TimeDemo time,open the command lineAnd let you out into the shellDemo time,turn all of the servers onOver every pod and every serviceDemo time,one last call for changesSo,finish your commit or prDemo time,you dont have to log outBut you cant
14、stay here.(apologies to Semisonic)Wrap upHaving certificates automatically populated is easyDevelopers should know/learn how to use mTLSKubeTLS is identity policy agnosticOnce eveybody is establishing authentication through mTLS wecan move to establishing authorization through mTLSFuture DirectionsP
15、rivate keys should be generated on nodesKubeTLS will move to a CSI modelThis should be built into KubernetesRepositoryhttps:/ S Feedback link:Additional NotesThe following slides and notes are useful.Auto mount service account tokenshttps:/kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/KubeTLS Admission WebhookapiVersion:admissionregistration.k8s.io/v1kind:MutatingWebhookConfigurationwebhooks:-admissionReviewVersions:-v1beta1 clientConfig:caBundle:service:name:kubetls namespace:kubetls name: rules:-apiGroups:-apiVersions:-v1 operations:-CREATE resources:-pods.