ibm / trusted-service-identity Goto Github PK

Trusted Service Identity is closing the gap of preventing access to secrets by an untrusted operator during the process of obtaining authorization for data access by the applications running in the public cloud.

License: Apache License 2.0

Dockerfile 1.04% Shell 54.05% Smarty 40.64% Makefile 0.88% Go 3.39%

trusted-service-identity's Introduction

Trusted Service Identity (TSI)

This Universal Workload Identity project (also known as Trusted Service Identity) provides a deployment and an orchestration layer to support CNCF community initiatives Tornjak and SPIRE.

Notice1:

For all the original Trusted Workload Identity project, that was preceding the SPIRE and Tornjak integration, and focusing on keys and credentials management, and preventing access to secrets by untrusted administrator, please visit our main-no-spire branch.

Notice2:

The TSI version [tsi-version.txt] attempts to match the most recent SPIRE version that is currently supported by Tornjak. (See the Tornjak version file)

Introduction

Here is the stack that represents the layers of the Universal Workload Identity project. Most of the components are part of the CNCF (Cloud Native Computing Fundation) initiative.

Starting from the bottom, we support any Kubernetes Platform, whether this is a native Kubernetes or OpenShift.

Then we have SPIFFE, which defines the identity format and specifies how workloads can securely obtain identity.

Then we have SPIRE, which implements SPIFFE, and it provides the zero trust attestation of workloads and infrastructure. SPIRE is responsible for issuing and rotating of x509 certificates or JWT tokens that are used for representing identity. SPIRE also provides a single point of federation with OIDC discovery to be used across multi-cloud or multi-cluster deployments.

Above the SPIRE, we have Tornjak, a control plane and UI for SPIRE, which together with the K8s workload registrar, defines the organization-wise Universal Workload Identity schema. It provides the identity management across the SPIRE servers.

Then on the top layer we have Universal Trusted Workload Identity that is a guiding principle. It's a concept for using workload identity frameworks. This is not a specific technology.

Attributes of Universal Workload Identity

Define a single, consistent organizational identity schema across clusters in different clouds
Provide a Zero Trust workload identity framework with strong workload attestation with SPIRE + Cloud-provider Plugins with each K8s installation
Manage and audit workload identity, attestation and policies for all k8s workloads in every cluster
Linear and centralized management of identities/policies to handle quadratic complexity
Single configuration per cloud to federate all cloud access
Based on CNCF SPIFFE identity specification

The Universal, Zero Trust Workload Identity, runs on everything that supports Kubernetes platform. It strengthens the security, by executing the cloud-provider and the platform attestation of the hosting nodes. It can support various identity mechanisms like IAM, Keycloak, and open standards like OpenID using a consistent, universal identity schema.

Tornjak Deployment and Demo examples

For the documentation about deploying Tornjak with the SPIRE server and various demo examples, please see our documentation

Reporting security issues

Our maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!

Please DO NOT file a public issue, they will be removed; instead please reach out to the maintainers privately.

Security reports are greatly appreciated, and Trusted Service Identity team will publicly thank you for it.

trusted-service-identity's People

Contributors

Stargazers

Watchers

Forkers

socioprophet bhaskers-blu-org1 hieudtrinh lumjjb maia-iyer mamy-cs bokiethio yassinejaoudi ghas-results abenbrahim78

trusted-service-identity's Issues

Create entry for the workload registrar with only one SPIRE agent

Today we are creating an entry for every node (SPIRE agent) to register a workload registrar

Suggestion: move the sidecar work into container-init, so the secret is done only once, per lifetime of the pod

This would reduce the number of sidecars, but it would require a container to recycle every time the secret has been modified or revoked.

Change the JSS error code for incorrect claims.

Currently when claims don't match the CA, we return < HTTP/1.1 503 SERVICE UNAVAILABLE, but it should be 403 Forbidden

The utility secret-maker.sh needs to support pods with multiple images

The utility secret-maker.sh needs to support pods with multiple images. Perhaps sort them alphabetically?

Create a generic way to handle services

We should at some point figure out what code we can reuse and change it so that each different service is just made out of something like a bash script + dockerfile, and all the python code is all generic

TI-KeyRelease/components/jss/gen-jwt.py

https://github.com/IBM/trusted-service-identity/blob/master/components/jss/gen-jwt.py#L23

 ./gen-jwt.py  --aud foo,bar --claims=email:[email protected]|images:img1,img2 key.pem

Move certain parameters from helm parameter to a configmap

Certain parameters that should be able to be toggled live should be put in configmaps instead of as helm values.

Test files require update to accommodate recent changes

Recreate the test files

Errors while testing - temporarily suppress the error

The test fails and it prevents the build. Temporarily suppress the error. This needs to be looked at.
https://github.com/IBM/trusted-service-identity/blob/img-repo/webhook_test.go#L393-L394

Open-Shift install script does not start on CRC standalone

Consider using /var/tsi-secure

Allow support for multiple namespaces with TSI

Provide a list of namespaces to support TSI secret injection. [ 'trusted-identity', 'my-secure-namespace',.... ]

As a workaround, the TSI can be installed individually on each namespace, but since they all would be using the same intermediate key per node, we need to investigate potential conflicts (when the public interfaces are open and closed). Alternatively we can add the namespace to the host path.

Deprecated CustomResourceDefinition in 1.16

trusted-service-identity$helm uninstall spire
W0830 12:55:30.365659   74273 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition

Jss-server doesn't work with Open-Shift install

No tokens are generated.

"The `service_account_whitelist` configurable is deprecated

"The service_account_whitelist configurable is deprecated and will be removed in a future release. Please use service_account_allow_list instead." external=false plugin_name=k8s_psat plugin_type=NodeAttestor subsystem_name=catalog

Migrate all the old refrences TI to TSI

There are still several references for the old naming conventions TI. They all need to be changed to TSI

Consistent sorting of pod images.

This needs to be better organized to guarantee the proper sequence of images. Perhaps put images in a hash map and list them out lexicographically.

Images are sorted here, to be displayed in claims:
https://github.com/IBM/trusted-service-identity/blob/images/components/tsi-util/secret-maker.sh#L189-L203

And here is the secret maker that reads the yaml input files:
https://github.com/IBM/trusted-service-identity/blob/images/components/tsi-util/secret-maker.sh#L189-L203

Claims validation should include root CA subject alt names

With #36, intermediate CA subject alt names are checked as part of the claims prefixed by TSI:. This is done for certs part of the chain but which are not the root CA. There may be a usecase where this is useful and can be implemented by extending the claims dictionary population to the root CA as well.

Migrate to the new docker hub `tsidentity`

Extend CSR with x509v3 extended attribute fields for arrbitrary vaules

During the trusted bootstrapping process, the values like "region", "cluster-name", "datacenter" should be injected to CSR, so they can be validated during the vault-plugin verification. Throw an error if the claims in JWT don't match the values in intermediate CA

For security reasons, the application containers should be running in non-TSI namespace.

Operator managing the application should not have access to the namespace where TSI components are running. This prevents any malicious or careless modifications to the TSI enviroment. Make sure the appliction can be deployed in a different namespace.

Vault security alert

https://github.com/IBM/trusted-service-identity/security/dependabot/go.mod/github.com%2Fhashicorp%2Fvault/open

Current Travis setup does not seem to work properly.

The tests should fail but still shows success. There are references to old IBM github.

Fail the sidecar immediately if any of the required processes returns

We should spawn both processes and wait on either, if any of them return the sidecar should fail immediately, or try and restart either. Unfortunately, this is not easy in bash.

https://github.com/IBM/trusted-service-identity/blob/master/components/jwt-sidecar/run-sidecar.sh#L3-L4

IKS installation on 1.17.7 fails

[debug] Created tunnel using local port: '56135'

[debug] SERVER: "127.0.0.1:56135"

[debug] Original chart version: ""
[debug] CHART PATH: /Users/sabath/workspace/TSI/trusted-service-identity/charts/tsi-node-setup-v1.7.3.tgz

Error: release tsi-setup failed: namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get resource "namespaces" in API group "" in the namespace "default"```

Test and write a doc on TSI in OpenShift/Minishift/CRC

Documentation needed on running TSI with OpenShift

To prevent CMD modification, add it to workload identity (claims)

We make sure the pod identity contains image(s) for all the containers and initContainers, sha256 encoded, however, we don't protect the identity based on the provided commands. Users might add/modify the CMD values without affecting the identity.

We should add also the encoded value that contains the following info for all the containers in the pod:

image: ubuntu@sha256:250cc6f3f3ffc5cdaa9d8f4946ac79821aafb4d3afc93928f0de9336eba21aa4
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do ls /tsi-secrets; sleep 5; done;" ]

Error handling short-circuit failure for bash scripts

There are several scripts with instances of running a command and using the output without testing it, these commands usually don't error but should be resilent due to changes in API such as oc ..., the CLI may change in the future and the scripts should be able to report failures and errors to make it easier to catch issues down the road.

Upgrade to SPIRE 1.0.x

https://newreleases.io/project/github/spiffe/spire/release/v1.0.0
SPIRE CLI syntax changed

Evaluate NodeAttestors configuration (aws_iid, azure_msi, etc)

We should have something that validates the values separately just to make sure if aws_iid, azure_msi, etc are valid and at least gives an error message if it is not set up right rather than continuing silently

Random number generator error

During the Cluster setup:
helm install charts/tsi-node-setup --debug --name tsi-setup --set reset.all=true

following errors show up in the container log:

pod tsi-setup-tsi-node-setup-pgnsw connected to host kube-fra02-cr034e871e697e4f2abff69102f2d792b0-w2.cloud.ibm machineid: a00917949efe4757bc4f5eb08bd6d69a
rm: cannot remove '/host/tsi-secure': Device or resource busy
full reset performed
rm: cannot remove '/host/tsi-secure/x5c': No such file or directory
x5c file reset performed
directory /host/tsi-secure/sockets created
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
....+++++
e is 65537 (0x010001)
Can't load /root/.rnd into RNG
140476636512704:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd

Review all the test cases, after recent refactor of the sidecar.

Since we move the Vault secret retrieval to the sidecar and the main containers does not get the JWT anymore, we need to update/verify all the test cases are still relavant:

e.g. expectedMutateInitialization.json "mountPath": "/usr/share/secrets"

Since it is no longer jwt, we should change the volume name to reflect that instead of jwt-shared -data

Review JSS libraries that use outdated crypto

Review JSS libraries that use outdated crypto. We probably don't need them anymore

Once active the Webhook prevents the JSS daemonset from being recreated

Showing the following error:

Normal SuccessfulDelete 23m daemonset-controller Deleted pod: vtpm2-server-gbgjc Warning FailedCreate 4m27s (x21 over 22m) daemonset-controller Error creating: admission webhook "tsi-mutate.trusted-service-identity.ibm" denied the request: Using hostPath Volume with '/tsi-secure' is not allowed

Update the webhook to include deployments in addition to pods

In order to protect namespaces and hosts, we should also inspect the deployments in addition to pods, and returns the failure on the level of the deployment if violates the rules.

Testing failures

These lines cause problems now and need to be investigated:

trusted-service-identity/webhook_test.go

Lines 393 to 394 in 39c7c4b

 // TODO need to understand why this is failing now... 

 // t.Errorf(ERRORWITH, testName, err)

webhook_test.go

Initialize helm as a part of the namespace-init, or cleanup

$ helm install ../charts/tsi-node-setup-v1.7.3.tgz --debug --name tsi-setup --set reset.x5c=true --set cluster.name=tsi-test2 --set cluster.region=eu-de
Error: could not find tiller

Design a process for securely adding and removing worker nodes into the cluster

Remove all the stale code for injecting certificates by the webhook into Vault for every new pod.

Cleanup and remove stale code for injecting certificates for each new pod. These are the following components gen-vault-cert and revorker, update the webhook and all the configuration files, configmaps, helm charts and the documentation

gen-jwt.py flags need to be updated

The default command suggestions by gen-jwt.py doesn't work because it contains pipes that are not escaped. In addition, --expire doesnt seem to be used anymore and TTL_SEC env variable is used instead. In addition, a few other fields are ignored - like subject, iss, etc..

usage: gen-jwt.py [-h] [-iss ISS] [-aud AUD] [-sub SUB] [-claims CLAIMS]
                  [-jwks JWKS] [-expire EXPIRE]
                  key

Python script generates a JWT signed with custom private key.
issuer(iss) is passed as env. var. (ISS)
token expiration is passed as env. var (TTL_SEC)

Example:
./gen-jwt.py  --aud foo,bar --claims=email:[email protected]|images:img1,img2 key.pem

Suggestions to add quotes:

gen-jwt.py  --aud foo,bar --claims='email:[email protected]|images:img1,img2' key.pem

Bring back the optional support for vTPM

Since we moved to software signing service, we abandoned the existing vTPM solution. Let's bring it back to make it easier to integrate with hardware TPM once is available.

Enable SSL for sidecar communication with Vault

Currently, our Vault client is using HTTP to communicate with Vault. This should be done via HTTPS

Update helm to use --client-only

Remove dependency on tiller and set a stricter helm version requirement. Tiller is generally not something that is desired in the cluster, so we should try to remove dependency on it.

Split JSS volumeMounts to 2 directories

in charts/ti-key-release-2/templates/jss-server.yaml

hostPort: 5000
volumeMounts:
- mountPath: /host/tsi-secure
name: tsi-secure

We should have 2 different directories, one for private key and CSR, and another one for x5c. Then we can do the first one always RO for all JSS and keep x5c R/W for JSS PUB
The public need to be R/W because it needs to inject the x5c, but the private one should be RO

K8s Jobs never complete with TSI

Kubernetes jobs require all the container to complete the job in order to get status Completed, however TSI sidecar runs continuously indefinitely. One solution is to run disable the sidecar, by only executing the init container PR #59 however, we should consider notifying the sidecar that container has ended, so it can exit as well.

From Kubernetes 1.18, if all normal containers have reached a terminal state (Succeeded for restartPolicy=OnFailure, or Succeeded/Failed for restartPolicy=Never), then all sidecar containers will be sent a SIGTERM.

Disable modification of webhook created annotations

Once created, the annotation should not be updated by external configuration updates.

annotations:
    admission.trusted.identity/inject: "true"
    admission.trusted.identity/status: injected
    admission.trusted.identity/ti-cluster-name: ti-test1
    admission.trusted.identity/ti-cluster-region: eu-de
    admission.trusted.identity/ti-images: ubuntu:18.04@sha256:250cc6f3f3ffc5cdaa9d8f4946ac79821aafb4d3afc93928f0de9336eba21aa4
    admission.trusted.identity/ti-secret-key: ti-secret-274e1101-55be-0374-ae4b-5fc47cb34368

Need to add PRs that merge with `spire-master` to automated testing.

Revoked keys should be removed by the sidecar from the container

Update cryptography to 3.2 and python to =< 3

Current cryptography library 2.3 is not supported. Upgrade to 3.2 is required. As a result, python must be updated as well, since the cryptography 3.2 cannot be run with python 2.7

/usr/lib/python2.7/site-packages/jwcrypto/jwa.py:8: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.

see PR #73 and #74

skipping unknown hook: "crd-install"

	// TODO need to understand why this is failing now...
	// t.Errorf(ERRORWITH, testName, err)