-
Notifications
You must be signed in to change notification settings - Fork 469
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
K8s server and agent nodeattestor plugin
Signed-off-by: Enrico Schiattarella <enrico.schiattarella@gmail.com>
- Loading branch information
1 parent
ed73c11
commit ecc354e
Showing
14 changed files
with
1,341 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Agent plugin: NodeAttestor "k8s" | ||
|
||
*Must be used in conjunction with the server-side k8s plugin* | ||
|
||
The `k8s` plugin retrieves an identity document from Kubernetes API Server and | ||
uses it to prove its identity to a SPIRE server and receive a SVID. | ||
The identity document consists of a x509 certificate signed by the Kubernetes | ||
API Server Certificate Authority. The plugin owns the private key associated | ||
with the identity document and is able to respond to proof-of-possession | ||
challenges issued by the server plugin. | ||
|
||
In order to retrieve the identity document, the plugin needs user credentials | ||
to access the Kubernetes API Server and submit a Certificate Signing Request (CSR). | ||
The credentials consist of a private key and a certificate stored on disks. | ||
It also needs a root certificate to validate the TLS certificate presented | ||
ny the Kubernetes API Server. | ||
|
||
The CSRs issued by the plugin follow the format used by Kubernetes Node Authorizer. | ||
They are automatically approved if the correct RBAC roles and bindings are in place. | ||
Alternatively, they can be approved manually by the Kubernetes administrator using | ||
the command `kubectl certificate approve` | ||
|
||
The SPIFFE ID produced by the plugin is based on the common name of the certificate | ||
and is in the form: | ||
|
||
``` | ||
spiffe://<trust domain>/spire/agent/k8s/system:node:<host name> | ||
``` | ||
|
||
See this [design document](https://docs.google.com/document/d/14PFWpKHbXLxJwPn9NYYcUWGyO9d8HE1H_XAZ4Tz5K0E) | ||
for more details. | ||
|
||
| Configuration | Description | Default | | ||
| ------------- | ----------- | ----------------------- | | ||
| `trust_domain` | The trust domain that the node belongs to. | | | ||
| `k8s_private_key_path` | The path to the private key on disk (PEM encoded PKCS1 or PKCS8) used to authenticate the agent to the Kubernetes API Server| | | ||
| `k8s_certificate_path` | The path to the certificate bundle on disk. Used to authenticate the agent to the Kubernetes API Server | | | ||
| `k8s_ca_certificate_path` | The root certificate used to validate the certificate presented by the Kubernetes API Server | | | ||
| `kubeconfig_path` | Optional. The path to the kubeconfig file containing Kubernetes cluster access information | | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Server plugin: NodeAttestor "k8s" | ||
|
||
*Must be used in conjunction with the agent-side k8s plugin* | ||
|
||
The `k8s` plugin attests nodes that have a valid certificate issued | ||
by a Kubernetes Certificate Authority. It verifies that the certificate | ||
is signed by a trusted CA and that the agent plugin has access to | ||
the corresponding private key using a signature-based challenge. | ||
|
||
The SPIFFE ID produced by the plugin is based on the common name of the certificate | ||
and is in the form: | ||
|
||
``` | ||
spiffe://<trust domain>/spire/agent/k8s/system:node:<host name> | ||
``` | ||
|
||
|
||
| Configuration | Description | Default | | ||
| ------------- | ----------- | ----------------------- | | ||
| `trust_domain` | The trust domain that the node belongs to. | | | ||
| `ca_bundle_path` | The path to the trusted CA bundle on disk. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. | | |
Oops, something went wrong.