Guidelines for node-level plugin auth

[tallclair]

Overview

I get a lot of questions about how to setup mutual authentication for node-level cluster plugins. Examples include:

• Local volume provisioning
• Device plugins (modify node object)
• Device metrics (scraping)
• CRI Streaming
• Are there others I'm missing?

For the general case, our recommendation has been to use a service mesh (such as Istio), or NetworkPolicy (although this isn't really a full solution). But as both of those are optional features on Kubernetes, I don't think they are sufficient for core functionality.

We need some general guidelines for plugins, and may need to build some additional capabilities or libraries to support them.

The architecture we need to target includes:

• A central control component, running as a deployment in the cluster. Let's call this the "CCC".
• A DaemonSet that handles node operations, and communicates back to the controller. Let's call this the "DSP" (DaemonSet Pod).
• K8s API server

Things we might need to solve:

1. CCC -> apiserver (solved)
   a. [x] server (apiserver) authn -- cluster CA
   b. [x] client (CCC) authn -- Use service account tokens
   c. [x] authz -- RBAC
2. CCC -> DSP
   a. [ ] server (DSP) authn
   b. [x] client (CCC) authn -- Service account tokens + TokenReview
   c. [x] authz -- RBAC + SubjectAccessReview
3. DSP -> CCC
   a. [ ] server (CCC) authn
   b. [ ] client (DSP) authn
   c. [ ] authz
4. DSP -> apiserver
   a. [x] server (apiserver) authn -- cluster CA
   b. [ ] client (DSP) authn
   c. [ ] authz

Optionally, we could only solve one of (2) and (3), and just require communications to happen in a single direction (i.e. pull or push). We also might be able to avoid (4) by delegating to the CCC (i.e. require all DSP requests to the apiserver to go through the CCC).

/kind technical-debt
/sig auth

/cc @dashpole @vishh @davidz627 @Random-Liu

[mikedanese]

Authenticating node plugin to the control plane component (requires per-node identity of DaemonSets)

per-pod gets us per-node. This is #59670 and I hope to solve it with #61858.

[cjcullen]

More (somewhat concrete) use cases:

• Identity-exchange style Node Agents that want to make TokenRequests for Pods on their nodes.
• Node-Problem-Detector could reduce its current scope (right now it can get other node objects, and can patch other nodes' statuses).

I bet we'd also find ways to pull out functionality from core kubelet if this was possible.

[msau42]

/cc @msau42 @verult

[mikedanese]

Node-scoped authorization (may require extending the NodeRestriction controller to cover DaemonSet identities)

We've discussed intersecting node authorizer and rbac authorizer to give daemonsets a subset of the node's privilege. I suspect it will cover a lot of these usecases.

[tallclair]

I added some detail to the issue description to help us discuss the different parts.

@mikedanese Yeah, that makes sense. I think that could be the answer to (4.c), with per-pod identity giving (4.b).

[vikaschoudhary16]

/cc @vikaschoudhary16

[tallclair]

@ncdc @DirectXMan12 - mentioned OpenShift controller for generating serving certs, which if upstreamed could be an answer to (3.a), and maybe (2.a) with modification (although I'm not sure how that would work with secrets).

[tallclair]

We have proposed solutions for the remaining unsolved areas, most of which depend on the per-pod identity, which is currently planned as an alpha in 1.11:

2. CCC -> DSP
   a. server (DSP) authn - Pod-specific dual client/serving cert auto-approval and validation #63732
3. DSP -> CCC
   a. server (CCC) authn - Pod-specific dual client/serving cert auto-approval and validation #63732
   b. client (DSP) authn - TokenReview (w/ per-pod identity)
   c. authz - case-by-case, maybe NodeAuthorizer+SubjectAccessReview
4. DSP -> apiserver
   b. client (DSP) authn - per-pod identity (design: improved service account token volumes community#1973)
   c. authz - NodeAuthorizer/NodeRestriction expanded to service accounts (needs design)

I think it would be great to get these remaining pieces into 1.12 to unblock a lot of the plugin development currently underway.