inquicker / kaws Goto Github PK

Since kaws specifically targets AWS, we should use AWS Key Management Service for handling the encryption of private data. GPG is workable, but has several properties that are less than ideal. Using KMS would facilitate using autoscaling group for the k8s cluster, because the instances can be assigned IAM instance profiles for decrypting data, meaning the TLS private keys can be stored encrypted in etcd and the manual provisioning steps currently in Terraform can be removed.

Right now kaws-agent will just restart kubelet's systemd service after refreshing any TLS credentials, but this does not cause the master components (most notably kube-apiserver) to restart, and hence they do not actually use the new credentials.

See kubernetes/kubernetes#25379.

Hello friend! Your crate is using a version of Rusoto before 0.25.0. The mega-crate version of Rusoto is deprecated. Please migrate to Rusoto 0.25.0 or later. rusoto/rusoto#676 has links to migration resources. Specifically, the 0.25.0 release notes detail how to migrate.

If you'd like more help, please reply to this issue and I'll do what I can! 👍

Currently the security document in the docs directory is just kind of a brain dump of information related to the security of the project. There isn't a clear distinction between what information is included in the "threat model" for each section and what is in the freeform parts above. The threat model sections should be revised to include a very succinct list of attack vectors and what should be considered compromised if they are successfully breached.

Because there is only one parameter to set the CoreOS AMI (--ami) for all nodes and this value is used to create the bastion instance which is hard-coded to be t2.micro, this means that the AMI must be of HVM type. By extension this means that no PV-only instance types can be used (e.g. t1.micro, m1.small and m1.medium) as the argument to --instance-size.

If this is intended I suggest that it should be documented.

kaws admin sign will produce a certificate with at most one organization, even if multiple organizations were in the CSR.

Root cause: cloudflare/cfssl#599

Currently the k8s clusters generated by kaws are locked at two masters and two nodes, which makes the entire project unusable as anything but a technical demo. In order to make the clusters adaptable to any size, both the master servers and nodes should be variable using an autoscaling group. In order to do this, the servers must be able to download and decrypt TLS private keys from etcd instead of being provisioned manually be an administrator over SSH. This will be possible once kaws using KWS instead of GPG for private key encryption. (See #1.)

Since kaws is tied to CoreOS and it's safe to say CoreOS will have the best possible support for rkt, we should use rkt as k8s's container runtime instead of Docker, as soon as rkt is 1.0. rkt has much saner tooling (acbuild is significantly better than Dockerfiles) and a better security story (doesn't run as a daemon, signed images, doesn't require a registry, etc.) rkt can run Docker images as well so this change will not preclude the use of Docker images.

Hello, just thought I should notify you that there's been a breaking change in rusoto (rusoto/rusoto#435) which affects your project. Particularly, IamProvider has been renamed to InstanceMetadataProvider.

You'll need to change the references to IamProvider here once you update to rusoto 0.20.0. :)

Although that being said it looks like you're still on rusoto 0.13.0, so this won't affect you if you choose to stay on that version.