Service-service auth across K8s cluster

istio / old_auth_repo

Deprecated home of Istio authentication components, now in istio/istio's security dir

Apache License 2.0

73 stars 32 forks source link

Service-service auth across K8s cluster #41

Open jasminejaksic-zz opened 7 years ago

jasminejaksic-zz commented 7 years ago

This is a tracking issue to enable service to service authorization at cluster level

mwitkow commented 7 years ago

hi guys,

Congrats on the project guys. Istio auth looks like something incredibly relevant to what we're doing: building trust between microservices using TLS certs. In our approach we're using Vault as an issuer of short-lived certs for auth within and across our kubernetes clusters.

I was wondering whether the auth across k8s that you're planning will require federation of kubernetes clusters or whether it can be done through pure trust of the CA cert chained that the auth manager is using to issue stuff?

wattli commented 7 years ago

@mwitkow , thanks for your interest. Auth across k8s is a difficult problem. Essentially we need to figure out a way to build up trust train between cluster CAs to make clusters be able to talk to each other.

ajessup commented 7 years ago

@mwitkow FYI federated auth for Istio (independent of cluster federation) and the necessary bootstrapping of trust is a goal of the SPIFFE project (see https://spiffe.io/) that several folks on the istio/auth team are contributing to. Feel free to reach out to andrew AT scytale.io if you want to learn more.