Closed hanlins closed 3 years ago
This will probably need a design, let's see how we can kickstart something.
Regarding point 2, we should be able to use secrets to make sure we don't expose sensitive data https://github.com/kubernetes-sigs/cluster-api/blob/master/bootstrap/kubeadm/api/v1alpha3/kubeadmbootstrapconfig_types.go#L203-L205
/cc @CecileRobertMichon for CAPZ side /kind design
@hanlins thanks for filing this! Could you please update your description with as many separate user stories that you can think of? For example, I think you could have separate stories for:
Thanks!
Hi @ncdc,
Thanks for the feedback. For the user stories:
supporting non-kubeadm bootstrap providers (will require a design with proposed contract+API changes for bootstrap providers) supporting things other than cloud-init
We don't actually have a user story for other bootstrap providers. I'm bringing that up just want to make sure we choose the right layer of abstraction if we decide to involve a config (e.g. we could expose a new option specifically for proxy in ClusterNetwork or just KubeadmConfigSpec to make it a provider specific thing). For whichever approach, we need to make adaptions thus we're open to either decision and want to be aligned with upstream.
ensuring any sensitive information (usernames/passwords) are stored securely
👍 , will add
supporting in-place reconfiguration
Yeah this is a nice to have from UX stand point but we know it's not easy and come with a cost. For openshift we notice that what they did is they need to reboot VMs to pick up the new changes, this is clearly not aligned with the immutable model we adopt in cluster API. Sure we can put it down as user story but we're not setting expectation that we have to the VMs in-place 😄
Hi @vincepri, true we can leverage SecretFileSource
to hide the credentials, and this is what we're planning to work on shortly. It's good that we can hide the secrets but at the same time it's difficult for users to read the proxy settings for diagnose. Ideally if we have an option just for proxy, we could add just show the HTTP(S)_PROXY url to the users and hide its credentials. Here I'm making an assumption that the URL itself is not a secret and it's the operator's job to perform security hardening and people will have to be authenticated to get proxy access.
@ncdc one more thing to add for the bootstrap provider assumption. Our current approach is Linux based and grouping a new option with the bootstrap provider could be easier for the moment but we might need to come back later for windows support. Exposing a new option in Cluster
might enforce windows to support the new option.
/milestone v0.4.0
Hi @vincepri, this is a draft proposal for the proxy changes we're planning.
/ok-to-test
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Send feedback to sig-contributor-experience at kubernetes/community. /close
@fejta-bot: Closing this issue.
User Story
As a operator I would like to proxy cluster egress traffic for security compliance As a operator I would like to store proxy credentials in secret(s) and consume them securely As a user I would like to update cluster proxy settings via cluster API As a user I would like to view proxy configurations being applied for my cluster
Detailed Description
In some corporation network, security policies or firewall rules will be applied to block egress traffic to prevent data exfiltration, which will block the traffic for pulling images from external image registry or sending telemetry data. A proxy is required in this scenario to ensure the egress traffic can be managed in a secure way.
Anything else you would like to add:
With current v1alpha3 implementation, we could potentially inject proxy configs to container runtime via the Files hook, however it has following problems:
It'll be helpful to add configurations in the cluster API spec to natively support http proxy to fix the issues we have above.
/kind feature