Giter Site home page Giter Site logo

Comments (5)

howardjohn avatar howardjohn commented on July 22, 2024 2

@SpectralHiss fwiw in Istio itself we have a CA_TRUSTED_NODE_ACCOUNTS that takes a list of SA's that are authorized to act in this regard (istio-system/ztunnel typically)

from istio-csr.

howardjohn avatar howardjohn commented on July 22, 2024 1

Nice! I skimmed it really quickly and looks like the right path. I'll put aside some time to make sure to give it a close review and try it out.

from istio-csr.

SpectralHiss avatar SpectralHiss commented on July 22, 2024

Hi @lapaartis, thanks for raising this!
We are able to reproduce and you are right this is an issue due to the way the authentication works in istio-csr, expecting the workload's own bound service account token to be presented instead of the ztunnel one which obviously differs in Ambient.

I suggest we add an exception to the ztunnel sa, the only difficulty would be that we need to ensure that we have the rright name and in the correct namespace and workloads don't use this to impersonate pods if they don't have a ztunnel installed!

Also @lapaartis , and this is besides the main issue, you can simplify your Istiod config like so:

global:
  caAddress: cert-manager-istio-csr.cert-manager.svc:443
pilot:
  env: 
    ENABLE_CA_SERVER: false

The rest is automatically added since Istio 1.16:
https://istio.io/latest/news/releases/1.16.x/announcing-1.16/change-notes/#security

from istio-csr.

howardjohn avatar howardjohn commented on July 22, 2024

I put up a draft in #335. It 'works' but doesn't do enough auth. But it does prove that adding the auth is all that is blocking things working e2e. I would be happy for someone to carry on the PR or do it myself.

I would want some guidance though on whether it is preferred to just pull in https://github.com/istio/istio/blob/9ca112c308c2c4ab5d595d6ba052a88212dd00f7/security/pkg/server/ca/node_auth.go#L74 or to re-implement it

from istio-csr.

paulwilljones avatar paulwilljones commented on July 22, 2024

Thanks @howardjohn. I'm working on #336 to handle impersonation but need to add in node authorization. Looking to do something similar to https://github.com/istio/istio/blob/1.22.1/security/pkg/server/ca/node_auth.go#L110 to check the pod is on the same node as the ztunnel.

from istio-csr.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.