docs: add proposal of Karmada Self-Signed Certificate Content Standardization #6189
Conversation
karmada-bot
added
the
size/L
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #6189 +/- ##
==========================================
+ Coverage 47.97% 49.34% +1.37%
==========================================
Files 674 677 +3
Lines 55841 55004 -837
==========================================
+ Hits 26788 27143 +355
+ Misses 27305 26097 -1208
- Partials 1748 1764 +16
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Preliminary Design Document DiscussionThis document is an initial design draft. However, there are some unresolved questions regarding the overall system design that I have raised in the document. For clarity, I will describe the issues again here. 1. Secret Generation During Cluster Deployment
2. Generating Individual Certificate Files for Each ClientI have encountered some design issues when considering generating independent, usable certificate files for each client. I currently have two approaches: Option 1:
Option 2:
3. Using a Consistent Certificate Across Different Servers for the Same Client
|
docs/proposals/cert/Self-Signed_Certificate_Content_Standardization.md
Outdated
Show resolved
Hide resolved
docs/proposals/cert/Self-Signed_Certificate_Content_Standardization.md
Outdated
Show resolved
Hide resolved
docs/proposals/cert/Self-Signed_Certificate_Content_Standardization.md
Outdated
Show resolved
Hide resolved
|
@tiansuo114 Thank you for your proposal as it is valuable for the security of the project. In fact, the changes in the certificate configuration will ultimately be reflected in the fields of the certificate. And the proposal you put forward in your proposal mainly affects the Certificate:
Data:
Signature Algorithm: sha384WithRSAEncryption
Issuer: CN = karmada
Subject: O = system:masters, CN = system:admin
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.karmada-system.svc.cluster.local, DNS:*.karmada-system.svc, DNS:localhost, IP Address:127.0.0.1, IP
|
Thank you for the detailed description. The certificate updates you mentioned primarily affect the Subject and Subject Alternative Name (SAN) fields. Below are the key differences between the certificates before and after the changes: Before Changes (Current Implementation)Server Certificate (
|
karmada-bot
added
size/XL
|
The content of the document has been updated according to the results of the meeting. How does it look now? |
docs/proposals/cert/Self-Signed_Certificate_Content_Standardization.md
Outdated
Show resolved
Hide resolved
tiansuo114
force-pushed
the
self-signed_cert_proposal
branch
from
597712c to
80a295f
Compare
tiansuo114
force-pushed
the
self-signed_cert_proposal
branch
from
80a295f to
2a3f45a
Compare
tiansuo114
changed the title
|
|
||
| Special Cases: | ||
| 1. For the two client components connecting to karmada-scheduler-estimator (karmada-scheduler and karmada-descheduler), since they use the gRPC protocol when connecting to karmada-scheduler-estimator, and they are the only components using gRPC protocol for this connection, the certificate is only used for TLS connection and does not contain identity verification attributes. | ||
| 2. Regarding the karmada-interpreter-webhook component, since it is only used for cluster e2e testing, it is considered a test component and does not play a role in actual production clusters. Therefore, it is unnecessary to change its certificate to a more granular one. |
There was a problem hiding this comment.
This component is not only used by E2E but also a demo component. Users can refer to this component to implement their own components and apply them to the production environment.
| util::create_signing_certkey "" "${CERT_DIR}" ca karmada '"client auth","server auth"' | ||
|
|
||
| # 2. Create common certificates for servers using root CA | ||
| util::create_certkey "" "${CERT_DIR}" "ca" server server "" "${karmadaAltNames[@]}" |
There was a problem hiding this comment.
How do you set the parameter karmadaAltNames?
tiansuo114
force-pushed
the
self-signed_cert_proposal
branch
from
2a3f45a to
fa574db
Compare
|
I tried to modify the document content according to yesterday's meeting, how does it look now? |
| - Identity Confusion Risk: All components share the same certificate content, making it impossible to distinguish component identities through certificate Subject | ||
| - Security Vulnerabilities: A single certificate compromise would jeopardize the entire system's security, violating the principle of least privilege | ||
| - Operational Complexity: Certificate rotation requires global operations, lacking fine-grained control capabilities | ||
| - Standards Compliance Gap: Does not meet cloud-native security standards (such as NIST SP 800-204B) requirements for mTLS communication between microservices |
There was a problem hiding this comment.
After this proposal, are these shortcomings gone?
There was a problem hiding this comment.
I made some mistakes in writing this part,After these modifications are applied to the system:
- Identity Confusion Risk: All components share the same certificate content, making it impossible to distinguish component identities through certificate Subject
- Security Vulnerabilities: A single certificate compromise would jeopardize the entire system's security, violating the principle of least privilege
These two issues will be completely resolved.
- Operational Complexity: Certificate rotation requires global operations, lacking fine-grained control capabilities
- Standards Compliance Gap: Does not meet cloud-native security standards (such as NIST SP 800-204B) requirements for mTLS communication between microservices
However, these two issues will not be completely resolved and will still require further modifications. I have now modified this content to only retain the issues that have been completely resolved.
| util::create_key_pair "" "${CERT_DIR}" "sa" | ||
| ``` | ||
|
|
||
| ### 2. Certificate Content Change Examples(有没有必要将证书内容修改的实际方式列出来()) |
There was a problem hiding this comment.
I'm very sorry. 😭 This was my mistake. Now this part of the incorrect content has been deleted
| ``` | ||
| Certificate: | ||
| Issuer: CN = karmada | ||
| Subject: CN = karmada-apiserver |
There was a problem hiding this comment.
| Subject: CN = karmada-apiserver | |
| Subject: CN = system:karmada:karmada-apiserver |
Be consistent with the following content.
|
|
||
| ### 1. Certificate Generation Script Modification | ||
|
|
||
| Current certificate generation process in `hack/deploy-karmada.sh`: |
There was a problem hiding this comment.
The following script modifications are only for some components. You can add a note indicating that this is just an example and not a full set of changes
There was a problem hiding this comment.
Ok. The above problems have been fixed. How does this document look now?
tiansuo114
force-pushed
the
self-signed_cert_proposal
branch
2 times, most recently
from
5858392 to
6ae46de
Compare
…dization Signed-off-by: tiansuo114 <zhaoyi_114@outlook.com>
tiansuo114
force-pushed
the
self-signed_cert_proposal
branch
from
6ae46de to
7993912
Compare
|
/retest |
|
thanks~ |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: XiShanYongYe-Chang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
karmada-bot
added
the
approved
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Design documentation for supporting karmada's new self-signed certificate system
Which issue(s) this PR fixes:
Part of 6091
Special notes for your reviewer:
@XiShanYongYe-Chang
@chaosi-zju
@zhzhuang-zju
Does this PR introduce a user-facing change?: