Comments (21)
Provide some context on the usage in my workplace:
- We want our SPIFFE/SPIRE infrastructure to be the single solution for certificate issuing for all workloads, both control plane date flow and data plane flow.
- It is very easy for us to distributed keys and trust bundle since we have spire-agent everywhere.
- We also want to control the attestation aspect, which Istio's self sign cert do not provide.
- Kubernetes secret is a big no-no. We do not want key materials to be persisted in any where.
- File mount offers a rudimental solution. If we have to do it, we can make spire-agent write cert into a memory dir and rotate it periodically. But it does raise the concern of inconsistency during the cut over of rotation.
from istio.
One cent from me, istiod startup should not depend on spire, fetching cert from spire api during bootstrap is risky. Can bring more dependencies on deploying
I definitely understand where you're coming from here, however if a user has decided that SPIRE
is the certificate source than I think that's acceptable. In fact istiod
coming up despite missing its xDS CA may mislead users. The other option I could see is failing readiness checks, but I'm not sure how much use istiod
is without the xDS server, and we can't start said server without the proper certs.
from istio.
Agree on the concern of introducing a dependency during startup. And I agree with @EItanya that the reliability on that dependency is what user should be concerned about. The current approach which rely on k8s secret or a mount file arguable will have same reliability concern. It just that failures like k8s fails to provide secret or a file missing are perceived as less likely to happen.
From security perspective, no workload should start if they're not able to attest their identity. For example, it would be hazardous if a malicious actor can start their own istiod
without attestation to manipulate the mesh. The workload's cert managed on a separate loop from istiod
CA mitigate the risk of man in the middle attack. However, a fake istiod
still can do a lot of damage by setting malicious network configurations.
We do need to ensure a correct layering of the infrastructure systems. If SPIRE lays the foundation of workload attestation, it shouldn't depends on Istio.
from istio.
istio-csr has this problem today and mounts the certificates manually to get around it https://raw.githubusercontent.com/cert-manager/website/master/content/docs/tutorials/istio-csr/example/istio-config-getting-started.yaml
from istio.
+1 on having some abstraction here that makes it easier to detangle istio CA
from the rest of istiod, since absolutely nothing about how that CA works should be istio-specific, and out of everything istiod
does, it's the thing that should be the easiest to replace with another non-Istio impl.
Whether that's SDS or some other interop channel doesn't matter much to me. I think it makes sense to have something here that is less crude than volume mounts, as those are not always acceptable, especially if they contain secrets.
from istio.
+1 on reducing the complexity of istio ca and supporting a flexible attestation model for control plane certificates.
from istio.
The current file mounted cert usage is not quite convenient, Integrate with spire agent is reasonable.
One cent from me, istiod startup should not depend on spire, fetching cert from spire api during bootstrap is risky. Can bring more dependencies on deploying
from istio.
Related Issues (20)
- Inconsistent Performance of Istio Ingress Gateway in PASSTHROUGH Mode HOT 5
- Errors with istio ext-authz cluster name in envoy cluster stats - metrics HOT 1
- Orchestrator - AKV bug where the VaultName property is used for constructing the VaultURL instead of deriving it from the storePath. HOT 5
- inpod iptable rules has not been removed when uninstall Istio HOT 5
- distribution reporter should not report events for types that are unwatched HOT 5
- Locality Load Balancing does not meet the expectations HOT 2
- default ISTIO_META_DNS_CAPTURE to true HOT 19
- FIPS mode to enforce boringssl compliance policies HOT 1
- [release-1.20] add DaemonSets and StatefulSets to known types HOT 1
- [release-1.19] Add option to only run gateway conformance tests with standard resources HOT 1
- [release-1.20] Add option to only run gateway conformance tests with standard resources
- Istio Gateway does not accept subdomain certificates.
- `portLevelMtls` in PeerAuthentication not enforcing strict mode HOT 10
- istioctl analyze --revison invalid HOT 4
- unexpected behaviour regarding load balncer and http2MaxRequests
- WorkloadSelector in DestinationRule resulting in route error HOT 8
- Matching priority of Virtual Service HOT 1
- Gateway API status write race HOT 2
- Unable to disable access logging for specific NS using Telemetry API HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio.