Open randomvariable opened 3 years ago
/milestone Next
To be determined if we can get this in v1alpha4
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
/lifecycle frozen
I know we don't have a label for it, but just for tracking
/area node-agent
@randomvariable: The label(s) area/node-agent
cannot be applied, because the repository doesn't have them
node-agent
just wanted to note that k8s docs address the kubelet as the "primary node agent":
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
The kubelet is the primary "node agent" that runs on each node
but if this is a "CAPI node agent" people are likely not going to be that confused.
@neolit123 Yes it's a Cluster API Node Agent :)
Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )
Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )
@randomvariable @yastij In the proposal recently merged https://github.com/kubernetes-sigs/cluster-api/blob/master/docs/proposals/20210222-kubelet-authentication.md#spirespiffe there was a session explaining why SPIFFIE alternative was not selected.
Thanks for the link to the proposal. This looks very interesting.
/area security /sig security /retitle Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration (Feel free to retitle again, I am trying to update it with security self-assessment issue naming convention.)
/triage accepted /help
@fabriziopandini: This request has been marked as needing help from a contributor.
Please ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help
command.
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
/priority backlog
User Story
As a security operator, I want to ensure developers who have access to create MachineDeployments are not able to gain access to data for workloads on a cluster they are not supposed to.
Detailed Description
kubeadm bootstrap tokens allow registration as arbitrary node names. GCP, EKS and Kops provide mechanisms to attest to the identity of a node such that they do not inadvertently get access to secrets and volumes not intended for that node. Provide a mechanism to resolve.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
/kind feature