KEP-4317: Pod Certificates

[ahmedtd]

This PR adds the initial content for KEP-4317, which outlines machinery for:

• Representing pod identities in X.509 certificates and certificate requests,
• Generically provisioning certificates to pods,
• Specifically provisioning kube-apiserver client certificates to pods, and
• Using pod identity certificates to authenticate to kube-apiserver,.

This KEP is still in the draft/discussion phase. Significant changes are anticipated based on review and discussion in SIG Auth.

• Issue link: Pod Certificates #4317
• Draft implementation: [WIP] Pod Certificates kubernetes#121596

[mtaufen]

Does anything prevent non-Kubelets from adding a Pod binding in TokenRequest, today? noderestriction doesn't appear to limit it, at least.

[ahmedtd]

I believe it is forbidden at some level. But I guess we should just try it out.

[mtaufen]

We included Node UID in https://github.com/kubernetes/kubernetes/pull/120780/files#diff-0c530c4dd8479db341cd002079be7ab62e34d49b42540785df9ad17431c8f108R243 and should probably do the same here.

[sftim]

Are all these fields required? If they are, I think we might one day regret not making the node name / uid optional.

[ahmedtd]

In the extension data itself, all fields are optional, in that you can always leave them as the empty string. (I don't think the ASN.1 parser in Go tries to handle field presence or absence).

If the extension appears in a CertificateSigningRequest from a kubelet, the node restriction plugin will enforce that all the fields are populated, and consistent with reality.

If the extension appears in an issued certificate, I think it's up to the component that's validating the certificate to decide which fields it cares about. For the specific example of certificates issued by the kubernetes.io/kube-apiserver-client-pod signer/approver, we probably want kube-apiserver to check all of the fields before letting the request past the authentication stage.

[bleggett]

I think clearly documenting a minimum, non-negotiable subset of required fields that are provably sufficient to guarantee unambiguous pod<->cert binding in Kubernetes is required, or including this ASN.1 OID field as an overall KEP requirement isn't much use.

Otherwise they can be left all empty, enforcement is implementation-dependent, and I can be fully compliant with this KEP and use a single cert for every pod in the cluster depending on whatever internal attestation logic the CSR admission controller I'm using happens to employ.

[ahmedtd]

Sure, I can add a detailed proposal for exactly which fields need to be set in order for kube-apiserver to allow authentication via a certificate containing a PodIdentity extension.

[ahmedtd]

Based on discussion in API review, we are going to go with a dedicated PodCertificateRequest type, rather than encoding these details in the existing CertificateSigningRequest spec.request field. This drastically lowers the importance of the PodIdentity extension, since it will only be used by the kube-apiserver-client-pod signer, not every third-party signer that wants to integrate with pod certificates.

[mtaufen]

Somewhat off-topic, but... What would it take to network bind these certificates? E.g. assuming we can trust the underlying network to prevent IP spoofing, could we include a node or pod source IP here as well?

[ahmedtd]

That's basically it --- we need to write the IP here, have kube-apiserver cross-check it during admission, and then ensure it ends up in the PodIdentity extension for the final cert. Then kube-apiserver can check it during TLS termination.

[bleggett]

Doesn't even have to be kube-apiserver that validates during admission, IIUC?

E.g. you could use SPIRE's attesting agent to validate the admission request for the cert and reject if out-of-band validations fail, or any other thing.

[sftim]

Is this related to ClusterTrustBundles?

[sftim]

Thanks. Here's a bunch of feedback - a mix of style nits and opinions.

[aojea]

/cc @aojea

[ahmedtd]

Is this related to ClusterTrustBundles?

They're intended to work together. It's not needed for the kube-apiserver client certificate use case, but if someone were to build a pod-to-pod mTLS solution on top of this, they would need to use both ClusterTrustBundle and PodCertificate projected volumes.

[aramase]

/cc

[bleggett]

I'm assuming that this admission plugin is purely a reference impl, and people are free to write their own admission plugins which do more (or less).

...which also means the admission criteria is entirely implementation-dependent?

[ahmedtd]

The node restriction plugin is built in to kube-apiserver. It can probably be disabled, but I don't think it is on most distributions?

[bleggett]

Okay, so the noderestriction admission plugin is the default "floor" and people can always add more strict/granular admission plugins on top. IIUC, that makes sense.

[bleggett]

If I can write my own admission plugin and use that instead of the reference impl, I can implement whatever restrictions I like here, which makes it less important how strict or not the reference impl is.

My $0.02 is that the reference impl should restrict to the kubelet identity, at least initially.

[bleggett]

I can tell you from experience that no matter what algos and param defaults you pick, people are going to want to customize beyond those defaults pretty quickly for various compliance and internal reasons, and "shipping your own custom kubelet" is a bit of a lift to allow that.

In general I think it would be best to minimize the kubelet opinions and lack of flexibility around PKI algos and params.

[ahmedtd]

The problem here is that Kubelet has to generate the key, so fundamentally if we want to allow the user to exercise option X, then Kubelet needs to implement option X.

However, I'm not sure there really are any other choices to make for private keys. RSA lets you pick the modulus, which is specified here, and ECDSA lets you pick a curve, which is specified here.

[bleggett]

The problem here is that Kubelet has to generate the key, so fundamentally if we want to allow the user to exercise option X, then Kubelet needs to implement option X.

Yes, that's a bit unfortunate. I do understand it's an unavoidable limitation of the goals/non-goals here tho.

[bleggett]

Doesn't even have to be kube-apiserver that validates during admission, IIUC?

E.g. you could use SPIRE's attesting agent to validate the admission request for the cert and reject if out-of-band validations fail, or any other thing.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[soltysh]

@ahmedtd please don't forget to creating a PRR file (see template in https://github.com/kubernetes/enhancements/blob/master/keps/prod-readiness/template/nnnn.yaml) and answering the questions, feel free to assign me for the PRR approval.

[ahmedtd]

@ahmedtd please don't forget to creating a PRR file (see template in https://github.com/kubernetes/enhancements/blob/master/keps/prod-readiness/template/nnnn.yaml) and answering the questions, feel free to assign me for the PRR approval.

I added the yaml file to the PR. However, I don't see any questions in it. Are you referring to the PRR questions in the main KEP body?

[ahmedtd]

Capturing some notes from discussion with Jordan:

• For Alpha, we are unsure about how much we want existing things that understand client certs to understand these new certs. To keep our options open, we will put a random UID as the CN, and not encode groups. In the future, we might decide to encode a meaningful CN and groups.
• New flag for pod client certificate CA, no sort of fallback logic.
• On kube-apiserver, continue to use one flag for all client certificate CAs.
• Use PEM in the PCR.

All of these points are now reflected in the text.

[soltysh]

a few comments from PRR review

[soltysh]

I believe the validation described here is strictly about the apiserver-side validation, not the kubelet. The important distinction is that this kind of validation will happen only during create/update actions.
Below, there's a description of noderestriction admission plugin, which does a consistency check combining the PCR with an actual pod.

[soltysh]

An important note: feature gates are only for the development phase, once this feature reaches GA they will be removed.

[soltysh]

Below sections although not required and won't block alpha are worthy of your time to try to tackle some of the answers. I believe you've already pointed out some issues with scalability after node restart.

[soltysh]

This holds, especially the rollout when you have api enablement + 3 various feature gates. Although I believe the overall recommendation will be to turn all at once.

[stlaz]

It's less about the usability, more about the maintenance.

You have to register multiple attributes for the RDNs to start with but:

• You don't have to write your own ASN.1 parser because this is just DN parsing.
• You don't have to port your parser into multiple languages
• You can reuse the RDNs for other purposes and you can combine them at will

I think this might be worth mentioning in alternatives at least.

[stlaz]

What would a backward-compatible change look like in this case? As per RFC5280 - Section 4.2:

  A certificate-using system MUST reject the certificate if it encounters
   a critical extension it does not recognize or a critical extension
   that contains information that it cannot process.

From Kubernetes perspective, adding an optional field would be considered a backward-compatible change, but the way I understand the above definition blocks this change as that would add information that the older versions of the parsers cannot process.

It's very much possible my interpretation of the RFC is too pedantic. I wonder if there's anyone in the community that would be able to confirm/deny.

[ahmedtd]

Strictly speaking, we don't need to mark the extension as critical. The only other content of the certificate will be some random bytes in the Subject.Name field, so it is unlikely that anything bad can happen if you present the cert to an application that doesn't understand the extension (or our custom RDNs, if we go that route).

[ahmedtd]

To close on this, I think we will mark the extension as critical. If we need to evolve the contents of the extension in the future, we will need to do so taking into consideration the behavior of TLS libraries when parsing the extension.

[neolit123]

i think it's worth mentioning explicitly as a non-goal that this proposal does not cover signing serving certificates for pods. that seems obvious and covered in the pod-to-pod mTLS point, but implicitly.

[ahmedtd]

It's a non-goal for the built-in signer to issue serving certs (although we will probably mark the certs to allow server cert usage; it doesn't hurt anything).

However, it's an explicit goal for third-party signers to be able to use the PodCertificate projected volume machinery to be able to issue serving certificates to pods.

[enj]

It's a non-goal for the built-in signer to issue serving certs (although we will probably mark the certs to allow server cert usage; it doesn't hurt anything).

I would not expect us to mark these certs as anything but client certs.

[ahmedtd]

Clarified in the text.

[ahmedtd]

I would not expect us to mark these certs as anything but client certs.

Agreed. As discussed on slack, we will only set the client cert usages. This doesn't preclude users from using them as server certs; since they will need to write custom TLS validation code, they can just ignore the lack of the "server" usage bits.

[soltysh]

the PRR for alpha is ok, although I'd still encourage filling in the metrics and the scalability secions

/approve

[soltysh]

We don't enable alpha feature gates in our regular e2es, so make sure to add them to appropriate test suite which does it.

[ahmedtd]

Will do. We had to do the same thing for ClusterTrustBundles.

[soltysh]

Nit: but the above comment explicitly requires both the directory and coverage 😅

[ahmedtd]

The coverage tab crashes in Chrome :/ I need to dig up a Firefox install

[soltysh]

You can always just run go test -race -cover <package> 😉

[ahmedtd]

Will do.

[soltysh]

We don't do that kind of checks anywhere I'm aware of, so I'd advise against it.

[soltysh]

Rather make sure to provide sufficient information in the logs or through events which would allow a user to identify such a situation.

[ahmedtd]

Removed that paragraph.

[soltysh]

This holds, especially the rollout when you have api enablement + 3 various feature gates. Although I believe the overall recommendation will be to turn all at once.

[ahmedtd]

@soltysh

This holds, especially the rollout when you have api enablement + 3 various feature gates. Although I believe the overall recommendation will be to turn all at once.

I'm sorry, can you elaborate? Are you saying that I should go ahead and fill this section out?

[enj]

First pass.

[enj]

It's a non-goal for the built-in signer to issue serving certs (although we will probably mark the certs to allow server cert usage; it doesn't hurt anything).

I would not expect us to mark these certs as anything but client certs.

[enj]

Need full docs for this signer like https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers

[ahmedtd]

Sure, but I don't think "we will adequately document the feature" is something we need to state in the KEP.

[enj]

No I mean, actually document the signer here, in the KEP itself.

[ahmedtd]

It is? In the section "API Server Pod Client Certificate Approver / Signer".

[enj]

Namespace UID?

[ahmedtd]

Sure, added.

[ahmedtd]

Hmmm, actually, I'm not quite sure here. The namespace is indicated by which namespace the PodCertificateRequest (and pod, and service account) are actually in

I'm not sure it makes sense to embed the UID of the namespace in the PodCertificateRequest, although we could have kubernetes.io/kube-apiserver-client-pod embed the UID in the issued certificate.

[enj]

Don't we need a timestamp or similar to prevent replay?

[ahmedtd]

I don't know how important this is --- the primary security guarantees here come from ensuring that only the correct kubelet can request a certificate for a given pod. The proof of possession is just to prevent (implausible) accidents, as far as I can tell from https://www.rfc-editor.org/rfc/rfc4211#appendix-C

[ahmedtd]

And https://www.rfc-editor.org/rfc/rfc4211#section-4 only says that the proof of possession should sign over some representation of the identity being requested. It doesn't include a timestamp.

[enj]

Okay per my reading of that RFC, I think the pod UID is sufficient when combined with all the other node admission checks (i.e. we know that this exact pod is scheduled on this exact node with this exact SA in the same namespace).

If a different node tried to replay the PoP, it would fail because that pod isn't scheduled to it.

[enj]

It seems really awkward to require this very manual process, especially with magic well known paths on disk in play.

[ahmedtd]

In the future, we can think about automatically injecting these as a replacement for the existing kube-apiserver-access volumes. I didn't want to cover that in Alpha because there's already enough work just landing the machinery without thinking about driving adoption.

However, I think there's a larger conversation to be had on this topic in SIG Auth. My personal thoughts are:

• Automatically granting API access credentials by default is probably a mistake. Most workloads in a Kubernetes cluster do not actually need to talk to the Kubernetes API.
• Mutating admission controllers (especially webhooks) cause a lot of problems. In general, workload authors expect the spec they write to be the spec that gets loaded into the cluster.
• In a perfect world, I would make workload authors who want Kubernetes API access opt in by inserting a token (or pod certificate volume).

[enj]

Yeah I am fine with this as-is, but lets discuss further in a future meeting.

[enj]

I suspect we could manually run enough of the kcm/kubelet pieces during integration tests to exercise the various node restriction and new signer bits.

[soltysh]

@soltysh

This holds, especially the rollout when you have api enablement + 3 various feature gates. Although I believe the overall recommendation will be to turn all at once.

I'm sorry, can you elaborate? Are you saying that I should go ahead and fill this section out?

I mean that it would be nice to see this section filled in, but it's not a hard requirement for alpha. Although usually going through that kind of exercise allows unlocking potential problems, which then leads to better designs of the feature.

[enj]

Minor stuff, lgtm.

[enj]

What if a client asks for a shorter TTL? What is the min TTL this signer supports?

[ahmedtd]

Good point. I will update so that it issues certs for min(maxExpirationSeconds, 24hours).

Edit: And we can rely on the new 1 hour minimum for maxExpirationSeconds.

[enj]

follow-up -> decide if we need to support both a max exp seconds per signer and a default per signer.

[enj]

Probably need a min for this field -> does not make sense to let clients ask for 1 second certs.

[ahmedtd]

Good point. Updated with a min of 1 hour. It should be safe to drop that down in the future.

[enj]

/lgtm
/approve

[enj]

@soltysh approved PRR here #4318 (review) but looks like the bot must have missed the GH event, tagging it manually.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: ahmedtd, enj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-auth/OWNERS [enj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment