Implement SPIFFE Broker Endpoint & API#6915
Conversation
|
@arndt-s @amartinezfayo @MarcosDY @sorindumitru I spiked through the implementation, will add tests and docs after an initial review. PTAL 🙏 |
|
@sorindumitru I updated the PR according to the spire-plugin-sdk changes your requested (remove workloadattestorv2), PTAL 🙏 |
arndt-s
left a comment
There was a problem hiding this comment.
Structural-wise I believe this is looking good.
|
@arndt-s Addressed your first three comments here: https://github.com/spiffe/spire/compare/4973fcf5ee282081a3025b9c1faf68a06bd79368..cfe8a847be3432652de75e7aa386f5a68aa51700 |
e492e76 to
2a814e3
Compare
0ba6010 to
97772d7
Compare
39cd713 to
c4b0c6c
Compare
|
Something I realized after talking with @sorindumitru is that the lever we were really after is controlling the remote, cluster-wide lookup, and allowed_reference_types doesn't quite get there. Enabling KubernetesObjectReference also enables the API-server path, so the cache and the cluster-wide Pod watch start as soon as a reference can't be resolved locally (a cross-node pod, a fresh pod not yet in the kubelet list, or any non-pod object). There's no way to allow object references while keeping resolution local-only, and a broker usually doesn't have the workload PID, so it can't fall back to PID for local pods the way a sidecar would. I think we should add an explicit remote-lookup control, default to off. Off would resolve object references through the kubelet only, and anything needing the API server would return NotFound without starting the cache. |
I think your concern really is with caching / watching. I think the right gate we need is for the cache, not for the API server. In my follow-up PR I want to introduce API server calls for more things, including when attesting PID references, but only via Broker API. If it's a Broker API call, which is an entirely new feature, I think the k8s attestor plugin should always perform a SubjectAccessReview, regardless of the reference type. I think it's really important to release this feature with this check. @amartinezfayo @sorindumitru What do you guys think? |
I replaced |
19ddd28 to
3dddc79
Compare
There was a problem hiding this comment.
This was mentioned in a separate comment, since the extra checks are not specified by the specification we can't enable it by default. The SubjectAccessReview checks should be optional and default to disabled.
Additionally, we still want to limit the k8s plugin to just the kubelet data by default. I think the current configuration is ok as is, it just needs to change what is checked.
Thank you for looking into using PartialObjectMetadata, that seems to be a good optimisation to have in general. We still think this can add a lot of memory spiking due to parsing large List responses, since the metadata can contain labels and annotations, which is why we would like to limit requests to the kubelet.
Agreed.
Since SAR will be optional, I strongly disagree that this feature should have a default. Users should be forced to make that choice, as it is a very serious one. Defaulting to less safe does not sound like SPIRE at all. Furthermore, we should choose the config knob and values in a way that encourages SAR: broker {
access_policy = "enforced" # or "permissive". no default. the plugin initialization will fail if a value is not specified.
}About using only kubelet for pods by default, sure, we can do that. We can branch the behavior based on the already-existing Note: This will work only for pods. There's nothing for non-pod objects in kubelet. |
|
Both implemented:
|
That would be a breaking change for previous users of the plugin. We really need to default to not doing the check. |
No, it would not be a breaking change at all. The field lives under |
|
(If it's not clear, SAR is a broker-only check. There's no SPIFFE ID to check if there's no broker.) |
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
amartinezfayo
left a comment
There was a problem hiding this comment.
Thanks for working through all the rounds on this, @matheuscscp
Reference implementation for spiffe/spiffe#340 arndt-s/spiffe#1
go-spiffe PR: spiffe/go-spiffe#388 plugin-sdk PR: spiffe/spire-plugin-sdk#74
Follow-up issues: #7074 #7075
Follow-up PRs: matheuscscp#1 (waiting for this one to merge)
Pull Request check list
Affected functionality
Description of change
Which issue this PR fixes
Supersedes: #6594