vincepri
commented
3 years ago /milestone Next
To be determined if we can get this in v1alpha4
Open randomvariable opened 3 years ago
vincepri
commented
3 years ago /milestone Next
To be determined if we can get this in v1alpha4
fejta-bot
commented
3 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
vincepri
commented
3 years ago /lifecycle frozen
randomvariable
commented
3 years ago I know we don't have a label for it, but just for tracking
/area node-agent
k8s-ci-robot
commented
3 years ago @randomvariable: The label(s) area/node-agent cannot be applied, because the repository doesn't have them
neolit123
commented
3 years ago node-agent
just wanted to note that k8s docs address the kubelet as the "primary node agent":
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
The kubelet is the primary "node agent" that runs on each node
but if this is a "CAPI node agent" people are likely not going to be that confused.
vincepri
commented
3 years ago @neolit123 Yes it's a Cluster API Node Agent :)
arianvp
commented
3 years ago Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )
fabriziopandini
commented
3 years ago Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )
@randomvariable @yastij In the proposal recently merged https://github.com/kubernetes-sigs/cluster-api/blob/master/docs/proposals/20210222-kubelet-authentication.md#spirespiffe there was a session explaining why SPIFFIE alternative was not selected.
arianvp
commented
3 years ago Thanks for the link to the proposal. This looks very interesting.
PushkarJ
commented
2 years ago /area security /sig security /retitle Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration (Feel free to retitle again, I am trying to update it with security self-assessment issue naming convention.)
fabriziopandini
commented
1 year ago /triage accepted /help
k8s-ci-robot
commented
1 year ago @fabriziopandini: This request has been marked as needing help from a contributor.
Please ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
k8s-triage-robot
commented
5 months ago This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted (org members only)/closeFor more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
fabriziopandini
commented
2 months ago /priority backlog
User Story
As a security operator, I want to ensure developers who have access to create MachineDeployments are not able to gain access to data for workloads on a cluster they are not supposed to.
Detailed Description
kubeadm bootstrap tokens allow registration as arbitrary node names. GCP, EKS and Kops provide mechanisms to attest to the identity of a node such that they do not inadvertently get access to secrets and volumes not intended for that node. Provide a mechanism to resolve.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
/kind feature