===================== TLS support in Magnum ===================== Launchpad blueprint: https://blueprints.launchpad.net/magnum/+spec/secure-kubernetes Currently there is no authentication in Magnum to provide access control to limit communication between the Magnum service and the Kubernetes service so that Kubernetes can not be controlled by a third party. This implementation closes this security loophole by using TLS as an access control mechanism. Only the Magnum server will have the key to communicate with any given Kubernetes API service under its control. An additional benefit of this approach is that communication over the network will be encrypted, reducing the chance of eavesdropping on the communication stream. Problem Description ------------------- Magnum currently controls Kubernetes API services using unauthenticated HTTP. If an attacker knows the api_address of a Kubernetes Bay, (s)he can control the cluster without any access control. Use Cases --------- 1. Operators expect system level control to be protected by access control that is consistent with industry best practices. Lack of this feature may result in rejection of Magnum as an option for hosting containerized workloads. Proposed Changes ---------------- The complete implementation of TLS support in Magnum can be further decomposed into below smaller implementations. 1. TLS support in Kubernetes Client Code. ----------------------------------------- The current implementation of Kubernetes Client code doesn't have any authentication. So this implementation will change the client code to provide authentication using TLS. Launchpad blueprint: https://blueprints.launchpad.net/magnum/+spec/tls-pythonk8sclient 2. Generating certificates ---------------------------- This task is mainly on how certificates for both client(magnum-conductor) and server(kube-apiserver) will be generated and who will be the certificate authority(CA). These files can be generated in two ways: 2.1. Magnum script ------------------- This implementation will use standard tool to generate certificates and keys. This script will be registered on Kubernetes master node while creating bay. This script will generate certificates, start the secure kube-apiserver and then register the client certificates at Magnum. 2.2. Using Barbican ------------------- Barbican can also be used as a CA using Dogtag. This implementation will use Barbican to generate certificates. 3. TLS Support in Magnum code ------------------------------ This work mainly involves deploying a secure bay and supporting the use of certificates in Magnum to call Kubernetes API. This implementation can be decomposed into smaller tasks. 3.1. Create secure bay ---------------------- This implementation will deploy a secure kube-apiserver running on Kubernetes master node. To do so following things needs to be done: * Generate certificates * Copy certificates * Start a secure kube-apiserver 3.1.1. Generate certificates ---------------------------- The certificates will be generated using any of the above implementation in section 2. 3.1.2. Copy certificates ------------------------ This depends on how cert and key is generated, the implementation will differ with each case. 3.1.2.1. Using Magnum script ---------------------------- This script will generate both server and client certificates on Kubernetes master node. Hence only client certificates needs to be copied to magnum host node. To copy these files, the script will make a call to magnum-api to store files. 3.1.2.2. Using Barbican ----------------------- When using Barbican, the cert and key will be generated and stored in Barbican itself. Either magnum-conductor can fetch the certificates from Barbican and copy on Kubernetes master node or it can be fetched from Kubernetes master node also. 3.1.3. Start a secure kube-apiserver ------------------------------------ Above generated certificates will be used to start a secure kube-apiserver running on Kubernetes master node. Now that we have a secure Kubernetes cluster running, any API call to Kubernetes will be secure. 3.2. Support https ------------------ While running any Kubernetes resource related APIs, magnum-conductor will fetch certificate from magnum database or Barbican and use it to make secure API call. 4. Barbican support to store certificates securely ---------------------------------------------------- Barbican is a REST API designed for the secure storage, provisioning and management of secrets. The client cert and key must be stored securely. This implementation will support Barbican in Magnum to store the sensitive data. Data model impact ----------------- New table 'cert' will be introduced to store the certificates. REST API impact --------------- New API /certs will be introduced to store the certificates. Security impact --------------- After this support, Magnum will be secure to be used in actual production environment. Now all the communication to Kubernetes master node will be secure. The certificates will be generated by Barbican or standard tool signed by trusted CAs. The certificates will be stored safely in Barbican when the Barbican cert storage option is selected by the administrator. Notifications impact -------------------- None Other end user impact --------------------- None Performance impact ------------------ None Other deployer impact --------------------- Deployer will need to install Barbican to store certificates. Developer impact ---------------- None Implementation -------------- Assignee(s) ----------- Primary assignee madhuri(Madhuri Kumari) yuanying(Motohiro Otsuka) Work Items ---------- 1. TLS Support in Kubernetes Client code 2. Support for generating keys in Magnum 3. Support creating secure Kubernetes cluster 4. Support Barbican in Magnum to store certificates Dependencies ------------ Barbican(optional) Testing ------- Each commit will be accompanied with unit tests. There will also be functional test to test both good and bad certificates. Documentation Impact -------------------- Add a document explaining how TLS cert and keys can be generated and guide updated with how to use the secure model of bays. References ---------- None