Comments (5)
@SpectralHiss fwiw in Istio itself we have a CA_TRUSTED_NODE_ACCOUNTS that takes a list of SA's that are authorized to act in this regard (istio-system/ztunnel
typically)
from istio-csr.
Nice! I skimmed it really quickly and looks like the right path. I'll put aside some time to make sure to give it a close review and try it out.
from istio-csr.
Hi @lapaartis, thanks for raising this!
We are able to reproduce and you are right this is an issue due to the way the authentication works in istio-csr, expecting the workload's own bound service account token to be presented instead of the ztunnel one which obviously differs in Ambient.
I suggest we add an exception to the ztunnel sa, the only difficulty would be that we need to ensure that we have the rright name and in the correct namespace and workloads don't use this to impersonate pods if they don't have a ztunnel installed!
Also @lapaartis , and this is besides the main issue, you can simplify your Istiod config like so:
global:
caAddress: cert-manager-istio-csr.cert-manager.svc:443
pilot:
env:
ENABLE_CA_SERVER: false
The rest is automatically added since Istio 1.16:
https://istio.io/latest/news/releases/1.16.x/announcing-1.16/change-notes/#security
from istio-csr.
I put up a draft in #335. It 'works' but doesn't do enough auth. But it does prove that adding the auth is all that is blocking things working e2e. I would be happy for someone to carry on the PR or do it myself.
I would want some guidance though on whether it is preferred to just pull in https://github.com/istio/istio/blob/9ca112c308c2c4ab5d595d6ba052a88212dd00f7/security/pkg/server/ca/node_auth.go#L74 or to re-implement it
from istio-csr.
Thanks @howardjohn. I'm working on #336 to handle impersonation but need to add in node authorization. Looking to do something similar to https://github.com/istio/istio/blob/1.22.1/security/pkg/server/ca/node_auth.go#L110 to check the pod is on the same node as the ztunnel.
from istio-csr.
Related Issues (20)
- Add ability to annotate certificate requests generateed by istio-csr HOT 1
- Add custom annotations to deployment HOT 3
- charts.jetstack.io beding cluster presents a challenge and breaks deployment
- istio-csr vault integration - permission denied - Vault failed to sign certificate HOT 2
- Restarting a namespace with 30+ deployments causes errors in istio-csr which tends to reolve after a while. HOT 2
- Custom DNS support in istio-csr's istiod certificate HOT 1
- False positive warnings from trivy and dependabot HOT 2
- ClusterRole & ClusterRoleBindings for istio-csr
- TODO: tests - carotation creates two kind clusters
- Populate Subject Fields in Certificate HOT 1
- CSR generation always defaults to P256 curve due to missing parameter HOT 4
- It is not possible to provide SAN for istiod certificate HOT 2
- how to build oci image locally using make command HOT 1
- Istio sidecar can only request new cert using istio-token HOT 1
- Document / improve that sometimes the issuer needs to set `ca.crt`
- Image version is v0.0.0 HOT 4
- Getting Readiness probe failed when using cert-manager-istio-csr HOT 1
- Modify schema validation for additional property domain HOT 3
- Document Link Fixes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio-csr.