Add SPIFFE independent multiple trust domain API. #1923
Conversation
istio-testing
added
the
do-not-merge/work-in-progress
|
😊 Welcome @mathetake! This is either your first contribution to the Istio api repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
google-cla
bot
added
the
cla: yes
istio-testing
added
the
size/M
|
Hi @mathetake. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: Takeshi Yoneda <[email protected]>
mathetake
requested review from
dcberg,
duderino,
linsun,
louiscryan,
nrjpoddar and
smawson
as code owners
istio-testing
removed
the
do-not-merge/work-in-progress
|
cc @lizan |
|
@myidpt @howardjohn PTAL |
|
/ok-to-test |
istio-testing
added
ok-to-test
Signed-off-by: Takeshi Yoneda <[email protected]>
istio-testing
added
size/XS
Signed-off-by: Takeshi Yoneda <[email protected]>
istio-testing
added
size/S
Signed-off-by: Takeshi Yoneda <[email protected]>
| // and its aliases. | ||
| // Note that we can have multiple certificate data for a same trust_domain. | ||
| // In that case, certificates with a same trust domain will be merged and used together to verify peer certificates. | ||
| repeated string trust_domains = 3; |
There was a problem hiding this comment.
How does this relate to trust domain defined above?
There was a problem hiding this comment.
this is associated with the "additional" root ca (CertificateData) to be used to validate incoming peer certs. In contrast, the trust domain above is used for singing certs with this cluster's root ca (e.g. istio-ca-secret).
There was a problem hiding this comment.
I see. May be add a comment related to it? I found it confusing so asked.
There was a problem hiding this comment.
+1 very confusing. Can we clarify this? Even in the names, such as cluster_trust_domains or mesh_trust_domains?
There was a problem hiding this comment.
I don't think this is that confusing since this is a field of CertificateData which is not in the top-level MeshConfig. But I agree that this is a bit confusing. @costinm @howardjohn thoughts?
There was a problem hiding this comment.
Is there a corresponding PR in the Istio Repo yet to handle Certificates for multiple TrustDomains? As of now, it is assumed that all these trustAnchors are intended for the configured mesh TrustDomain
istio-testing
added
the
needs-rebase
Signed-off-by: Takeshi Yoneda <[email protected]>
istio-testing
removed
the
needs-rebase
istio-testing
added
the
needs-rebase
istio-testing
removed
the
needs-rebase
|
@mathetake: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| // and its aliases. | ||
| // Note that we can have multiple certificate data for a same trust_domain. | ||
| // In that case, certificates with a same trust domain will be merged and used together to verify peer certificates. | ||
| repeated string trust_domains = 3; |
There was a problem hiding this comment.
why is the trust_domains plural, does that means the certificate_data can belong to multi trust domains?
There was a problem hiding this comment.
yes. See discussion here: #1923 (comment) for example, it can be used for aliasing trust domains.
|
@costinm @howardjohn could you take another look? Thanks! |
| @@ -410,6 +410,10 @@ message Source { | |||
|
|
|||
| // Optional. A list of negative match of remote IP blocks. | |||
| repeated string not_remote_ip_blocks = 10; | |||
|
|
|||
| // Optional. A list of trust domains of peer certificates. | |||
There was a problem hiding this comment.
If I have mesh config:
trustDomain: foo
trustDomainAliases: [bar, baz]
and I set trustDomains=foo, do bar and baz apply?
what if I set trustDomains=baz?
Basically are aliases applied here?
There was a problem hiding this comment.
Thanks for putting another insight. I think we should implicitly apply foo and bar as well when only setting trustDomains=baz in line with the doc of trustDomainAliases saying "aliases are treated as the same trust domain". And this is how we can treat foo, bar and baz as the same trust domain.
so maybe should i put the comment about this behavior here?
There was a problem hiding this comment.
Yes, please. In this case, we should always treat foo, bar, baz as identical.
Normally, users should not specify the trust_domains when they apply the authz policy to the local trust domain. But if they did, trust domain aliasing also applies here.
There was a problem hiding this comment.
I am a bit concerned with the 3 names - trust_domain, trust_domain_aliasses and trust_domains. Note that trust_domain is used to indicate what we'll put in the certs we generate, and the aliases was introduced mainly for migrations - and doesn't make sense once
we have the more explicit trust bundles.
From the Spiffee spec: "implementations MUST securely associate bundle endpoints with their respective trust domain, nominally through explicit configuration of a <trust_domain_name, endpoint> tuple" - no mention of aliases, which can be represented by having more tuples ( except that it is discouraged to have same keys associated with different names !)
https://tools.ietf.org/html/rfc5280#section-4.2.1.10 has the concept of 'name constraints' and
'permittedSubtrees' - which can apply to both Spiffee URL SANs but also domain SANs and even IP certs. However those are built into the cert PEM - so wouldn't need any configuration on our side.
Same for OIDC - the 'trust domain' is built into the discovery URL.
In other words: I'm worried we're again reinventing the wheel and confusing people, like we did with few other things in security.
I am also worried about the 'mesh wide' / mesh operator applicability of the config - instead of using ProxyConfig which allows more specific targeting. Since DestinationRule, Policy, etc are driven by the mesh user - I don't see why the trust endpoints would be mesh-wide and controlled by operator.
So my alternate proposals:
- add this to ProxyConfig instead ( or maybe even DestinationRule - combined with the proposal we just heard in Env/networking for improving verification of SANs )
- either use a 'trustDomain' ( without aliases - see spiffee spec/recommendation ), or use the RFC5280 naming, mentioning that the constraints can also be loaded from the cert itself. Since this kind of constraining of a root cert is in no way specific to spiffee URL SANs - I would very much prefer the 'constraints' approach.
- If the URL form is specified I would just document that for Istio we recommend using the OIDC format for the URL, which includes the 'trust domain' in the URL in a well-known form, and validate that.
|
I would also request having this reviewed by Env WG ( MeshConfig vs ProxyConfig ) and Networking ( vs DestinationRule, and how it can fit/interact with the new proposal for validation in DR ). In particular we have a pretty big disconnect between networking - defining SAN validations in DR and client SAN validation in Gateway - and mesh config terms that are only used in Spiffee ( like the fact we validate ones by default and others not, ownership of configs, etc ). I think this is a very important and useful PR - I would love to see this replace the 'trustDomainAliases' with a more standards-based and consistrent/integrated solution. |
| @@ -222,6 +222,13 @@ message MeshConfig { | |||
| // The certificate is retrieved from the endpoint. | |||
| string spiffe_bundle_url = 2; | |||
| } | |||
|
|
|||
| // Optional. Specify the list of trust domains to which this certificate data belongs. | |||
There was a problem hiding this comment.
| // Optional. Specify the list of trust domains to which this certificate data belongs. | |
| // Optional. Specify the list of trust domains to which this root of trust belongs. |
|
|
||
| // Optional. Specify the list of trust domains to which this certificate data belongs. | ||
| // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain | ||
| // and its aliases. |
There was a problem hiding this comment.
This becomes error prone now. If the user forgets to specify trust_domains, the external CAs will be able to impersonate the local CA. I think in the long term, we should mandate this field to be non-empty (ie, if it's empty, the CertificateData is invalid). How about if users want to use this to configure extra roots for the local trust domains. they should set "LOCAL" as the trust domain? We need to think about the backward compatibility, though. Istiod can log warnings in 1.11 when trust_domains is unset, and we mandate it in 1.12.
| // Optional. Specify the list of trust domains to which this certificate data belongs. | ||
| // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain | ||
| // and its aliases. | ||
| // Note that we can have multiple certificate data for a same trust_domain. |
There was a problem hiding this comment.
| // Note that we can have multiple certificate data for a same trust_domain. | |
| // Note that we can have multiple roots of trust for a same trust domain. |
| // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain | ||
| // and its aliases. | ||
| // Note that we can have multiple certificate data for a same trust_domain. | ||
| // In that case, certificates with a same trust domain will be merged and used together to verify peer certificates. |
There was a problem hiding this comment.
| // In that case, certificates with a same trust domain will be merged and used together to verify peer certificates. | |
| // In that case, root certificates associated with the same trust domain will be merged and used together to verify peer certificates from that trust domain. |
| @@ -410,6 +410,10 @@ message Source { | |||
|
|
|||
| // Optional. A list of negative match of remote IP blocks. | |||
| repeated string not_remote_ip_blocks = 10; | |||
|
|
|||
| // Optional. A list of trust domains of peer certificates. | |||
There was a problem hiding this comment.
Yes, please. In this case, we should always treat foo, bar, baz as identical.
Normally, users should not specify the trust_domains when they apply the authz policy to the local trust domain. But if they did, trust domain aliasing also applies here.
|
@costinm Thank you very much for putting your thoughts in detail.
Could you add reviewers from these WG to this PR? And I would appreciate it if you could put the link to the proposal.
Agreed and now I would love to go with 'naming constraints' and I'm even thinking of removing 'trust_domain(s)' field, which seems much clearer and standardized. Does it make sense to you to remove the field and only support loading domains from naming constrains?
sg but if a user wants to load a "inline" cert (via "pem" field or equivalent in the future), then this cannot be available. So I guess this would introduce another confusion on users. I would prefer we stick to either "naming constrians" approach or "trust_domain" (without "s") approach as you proposed above. WDYT? |
istio-testing
added
the
needs-rebase
|
@mathetake: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
superseded by #2090 |
Now that Envoy side implementations (envoyproxy/envoy#14884, envoyproxy/envoy#15509) have landed upstream, and "independent multiple trust domain authN/Z" can be achieved in Istio. So this PR adds API for that.
References:
Signed-off-by: Takeshi Yoneda [email protected]