Open sftim opened 5 years ago
fejta-bot
commented
5 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
sftim
commented
5 years ago /kind feature /priority important-longterm
fejta-bot
commented
4 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten
sftim
commented
4 years ago /remove-lifecycle rotten
sftim
commented
4 years ago Also see #17848
fejta-bot
commented
4 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
fejta-bot
commented
4 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten
sftim
commented
4 years ago /remove-lifecycle rotten
sftim
commented
4 years ago Think this is important enough to merit /lifecycle frozen
sftim
commented
4 years ago Relevant to PR https://github.com/kubernetes/website/pull/23522
sftim
commented
3 years ago /sig security
sftim
commented
3 years ago Also IMO /sig usability
sftim
commented
3 years ago /language en
sftim
commented
3 years ago /remove-priority important-longterm I'll let SIG Security decide on that
savitharaghunathan
commented
3 years ago /priority important-longterm
savitharaghunathan
commented
3 years ago /triage accepted
sftim
commented
2 years ago Duplicated by https://github.com/kubernetes/website/issues/31269
tomkivlin
commented
2 years ago I'd like to work on this. @sftim do you see this as a page in /concepts/security/ with the description of what TLS is and what it's used for in Kubernetes, with some "what's next" content pointing to a new page in /tasks/tls/ with the scenarios you've described etc.?
tomkivlin
commented
2 years ago /assign
sftim
commented
2 years ago do you see this as a page in /concepts/security/ with the description of what TLS is and what it's used for in Kubernetes, with some "what's next" content pointing to a new page in /tasks/tls/ with the scenarios you've described etc.?
I hadn't got that far @tomkivlin. What you suggests sounds good to me.
Have a think about the concept would be “encryption in transit” or specifically “TLS”. If you have the appetite for it, the concept could even be “How Kubernetes Uses Encryption”.
Maybe there will be more than one task page. Also some existing task pages cover TLS in one way or another.
tomkivlin
commented
2 years ago @sftim I like that idea. What I'll do then is a new page e.g. /concepts/security/kubernetes-encryption.md which can cover encryption at rest (etcd, secrets, volumes, etc.), in transit (Pods, Services, Ingress, etc.) and link off to other existing pages. I'll create any task pages as needed.
sftim
commented
2 years ago Encryption is also used for authn in various ways. I don't think we use if for nonrepudiation.
tomkivlin
commented
2 years ago NB I have started work on this, will prepare a PR when I'm back from holiday.
sftim
commented
2 years ago Great! I look forward to seeing this merged.
mehabhalodiya
commented
1 year ago @tomkivlin I don't see any updates regarding any PR; so unassigning you. Please feel free to assign, if you come back here again and are willing to work on 🙂 /unassign @tomkivlin
tomkivlin
commented
1 year ago /assign
insaaniManav
commented
5 months ago Hi I'd love to make this happen can I be assigned this issue ?
sftim
commented
5 months ago Here's how to work on this:
We've a lengthier guide at https://kubernetes.io/docs/contribute/new-content/
insaaniManav
commented
5 months ago /assign
insaaniManav
commented
5 months ago Hi so continuing this conversation are we still going with what was suggested by @tomkivlin on this ? is it okay if I continue work where they left off on their branch ?
tomkivlin
commented
5 months ago Hi so continuing this conversation are we still going with what was suggested by @tomkivlin on this ? is it okay if I continue work where they left off on their branch ?
Fine by me! Sorry for not being able to continue this.
This is a Feature Request
What would you like to be added Add documentation that covers the different ways to protect communications in transit for a workload.
Explain prerequisites to include an understanding of SSL / TLS, maybe SNI and X.509 too. Help readers understand the topic and signpost away anyone looking for other docs (eg how to use TLS with the control plane)
Explain prerequisites to deploying TLS: stable hostname, private key, certificate Maybe mention ACME if this doesn't make the page too long.
Discuss hosting options:
What's next: signpost readers to relevant add-ons, eg https://github.com/jetstack/cert-manager signpost readers to learn about using
for TLS.
Why is this needed There are several options for using TLS in connection with Kubernetes for application workloads. If you learn N-1 of these, it's not easy to spot that you haven't encountered all of them.
Comments The aim I have in mind is that there's a single page for the topic. If I meet someone who wants to learn about TLS for workloads on Kubernetes I give them a link to that page and they can find what they need to by reading the page and clicking links (they don't have to rely on the search form or on a 3rd-party search website).
If linking to 3rd party content, bear the content guide in mind.
14727 is kind of similar; it's more broadly focused on a encryption at rest in general. It feels OK to focus on TLS rather than the bigger picture of encryption in transit. Cluster operators are going to be much, much more likely to pick TLS to protect their application data over (eg) Kerberos or IPSEC.