Support client cert validation (spki, hash, san)

[kinolaev]

Description:
I'd like to allow a TLS handshake based on SNI and client certificate fields. For example, to allow only handshakes from a client with SAN URI spiffe://example.com/client to server.example.com service.

In the context of Envoy I need to configure CertificateValidationContext in a corresponding listener's filter chain.

To achieve this goal I propose to add spkiHashes, certificateHashes and subjectAltNames fields to ClientValidationContext of ClientTrafficPolicy. For example:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  namespace: default
  name: mtls-authentication
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: eg
      sectionName: server
  tls:
    clientValidation:
      caCertificateRefs:
        - kind: Secret
          name: root-ca
      spkiHashes:
        - NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
      certificateHashes:
        - df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
      subjectAltNames:
        dnsNames:
          - { type: Exact, value: client.example.com }
        emailAddresses:
          - { type: Suffix, value: @example.com }
        ipAddresses:
          - { type: Prefix, value: 192.168. }
        uris:
          - { value: spiffe://example.com/client }
        otherNames:
          - { oid: 1.3.6.1.4.1.311.20.2.3, value: client }

An alternative would be to introduce a new type of Principal to AuthorizationRule of SecurityPolicy.
But we can only support Allow action (there are only allowlists in Envoy's CertificateValidationContext) on a Gateway target (because it affects all routes) and return an error otherwise. Additionally SecurityPolicy doesn't support sectionName, so for now it's not possible to attach a policy to a specific listener and propagate rules to the right filter chain. PR #5916 fixes it.

I would also add that there are four places where we can validate SANs in Envoy: CertificateValidationContext, network RBAC filter, HTTP RBAC filter and per route RBAC filter. It may be a good idea to support configuring:

• CertificateValidationContext with ClientTrafficPolicy (allows to deny a connection at handshake stage)
• network RBAC filter with SecurityPolicy attached to a Gateway (allows to define blocklists in addition to allowlists)
• per route RBAC filter with SecurityPolicy attached to a route (granular control after TLS termination and an app protocol parsing)

So ClientTrafficPolicy and SecurityPolicy could complement each other. And I think ClientTrafficPolicy is a good place for adding SPKI hashes, certificate hashes and SANs to validate inbound TLS connection at handshake stage.

Relevant Links:

• an implementation based on ClientTrafficPolicy Support client cert validation (spki, hash, san) #5868

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[arkodg]

hey @kinolaev trying to understand how common of a use case this is i.e. how many users will benefit from this
can you link some prior art of available settings in other implementations/projects, which should help with justifying adding this as a top level feature vs configuring it via a EnvoyPatchPolicy

[cenk1cenk2]

I would say on enterprises where everyone usually can be identified by an certificate can be very beneficial.

As a user myself I am more interested in the section name part of it since I do not usually want to attach client certificate authentication but usually to some parts of it which is currently not possible.

Just wanted to jot down my personal opinions since I was tracking this mr.

[kinolaev]

Istio has it as part of AuthorizationPolicy and in ServerTLSSettings. Linkerd has it in MeshTLSAuthentication.

In general you have two options to connect services in different networks: put them into a virtual network and keep authorizing traffic by IP or forget about IP as an identity, use mTLS and authorize by some field in a certificate. I think VPN approach is still more widespread now. But with a help of cert-manager and trust-manager or SPIFFE and SPIRE mTLS approach will win in long run in my opinion. Because there is no reason for encapsulation of any kind if every service could easily get a tls certificate and a trust bundle.

This approach is also a part of ZeroTrust and BeyondCorp concepts which were popularised by Google and other big players.

[arkodg]

@kinolaev are you using this Gateway as an internal API Gateway between internal services ?

[arkodg]

also hoping we can discuss more on the use case, is the expectation of denying connection or sending a 403 ?

[kinolaev]

are you using this Gateway as an internal API Gateway between internal services ?

I'd say I use it more like a firewall between internal services that supports tls certificate fields based rules in addition to IP based.

is the expectation of denying connection or sending a 403

Denying connection would be preferable. In my use case SNI and SAN fields contain enough info to make a decision, so I don't need to know what is inside a TLS stream, I don't need to decipher anything or to parse HTTP headers. That is why I'd prefer to extend ClientTrafficPolicy to cover this use case.

Of course there are other use cases, when HTTP method, path or headers are needed for an auth decision (I guess this is what you call "API Gateway", isn't it?). Status 403 would be more appropriate there. But this is the case for Envoy's RBAC configured via SecurityPolicy, IMHO.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.