Comments (4)
Yes, exactly, One could store their org CAs in Google Secret Manager (other cloud solutions are available stuck_out_tongue_winking_eye), and use kube secret store to mount the CA data into istio-csr.
👍
As everything is clarified and the PR is merged, I'll close this issue. Thank you again, @JoshVanL!
from istio-csr.
Hi @joshmue, thanks for the kind words! 🙂
I think everything you said here is correct, and perhaps the wording ("effectively") could be changed here to be less alarming..
Indeed, the idea here is we are trying to protect against a malicious actor who, by some means, is able to highjack signing (update permissions on CertificateRequests) for the istio-csr signing service and workload's issuer. This could be a stolen token from an existing signer (cert-manager-controller is one), or by other means. With this ability, the actor could completely change or inject an additional CA which would be a vector for attack.
By statically defining the root CAs, this attack doesn't work. An attacker would only be able to stop workloads trusting istio-csr's service or prevent workloads from joining the mesh- a safe failure state. Of course one could argue that this is just moving the problem, however I think that there are some good volume options out there which have arguably better security profiles (the secrets-store csi driver backed by Vault or a cloud provider paired with workload identity comes to mind).
Whilst having the behavior of changing root CAs over time on the fly isn't necessarily bad, root CAs should be fairly static things and their delivery pipeline tightly controlled.
from istio-csr.
Hi @JoshVanL, thank you very much for the rapid and detailed response! This really clears this topic up for me.
So it is more like a tradeoff between operational simplicity via automation vs. implementing CA pinning to reduce the security impact of e. g. cert-manager tokens being leaked.
When reading "TOFU" and its Wikipedia page, I got the impression that istio-csr would be vulnerable to simple MITM attacks somewhere - at least in the setup phase. Kind of like when using a SSH client with a lax configuration regarding host key checking. Or trusting selfsigned certificates in web browsers. Glad to see that this is not the case. Maybe this could also be clarified in the README like you kindly did in your comment.
Of course one could argue that this is just moving the problem, however I think that there are some good volume options out there which have arguably better security profiles (the secrets-store csi driver backed by Vault or a cloud provider paired with workload identity comes to mind).
Do you mean fetching the root CA certificate via one of these mechanisms?
from istio-csr.
So it is more like a tradeoff between operational simplicity via automation vs. implementing CA pinning to reduce the security impact of e. g. cert-manager tokens being leaked.
Yes, I think that is a fair assessment.
Maybe this could also be clarified in the README like you kindly did in your comment.
I agree, I'll open a PR to change this wording and clarify.
Do you mean fetching the root CA certificate via one of these mechanisms?
Yes, exactly, One could store their org CAs in Google Secret Manager (other cloud solutions are available 😜), and use kube secret store to mount the CA data into istio-csr.
from istio-csr.
Related Issues (20)
- cant install chart v0.5.0 HOT 6
- Metrics scraped twice
- Subject Name in CSR HOT 1
- Allow changing the default istio namespace, independent of issuer HOT 2
- istio-csr should seperate leases role permissions from cert-manager issuer namespace
- Third-party JWT issue HOT 1
- add the compatibility matrix for Kubernetes versions to README
- Add ability to annotate certificate requests generateed by istio-csr HOT 1
- Add custom annotations to deployment HOT 3
- charts.jetstack.io beding cluster presents a challenge and breaks deployment
- istio-csr vault integration - permission denied - Vault failed to sign certificate HOT 2
- Restarting a namespace with 30+ deployments causes errors in istio-csr which tends to reolve after a while. HOT 1
- Custom DNS support in istio-csr's istiod certificate HOT 1
- False positive warnings from trivy and dependabot HOT 2
- ClusterRole & ClusterRoleBindings for istio-csr
- TODO: tests - carotation creates two kind clusters
- Populate Subject Fields in Certificate HOT 1
- CSR generation always defaults to P256 curve due to missing parameter HOT 4
- It is not possible to provide SAN for istiod certificate HOT 2
- how to build oci image locally using make command HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio-csr.