Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure KubeArmor gRPC Endpoint #1464

Closed
daemon1024 opened this issue Oct 18, 2023 · 4 comments · Fixed by #1526
Closed

Secure KubeArmor gRPC Endpoint #1464

daemon1024 opened this issue Oct 18, 2023 · 4 comments · Fixed by #1526
Assignees
@rksharma95

Comments

@daemon1024
Copy link
Member

We use gRPC Insecure

https://github.com/kubearmor/kubearmor-relay-server/blob/34b9f3bd270e3edf6fbe3aae91504cc5f7f83ee3/relay-server/server/relayServer.go#L311
@daemon1024 daemon1024 converted this from a draft issue Oct 18, 2023
daemon1024 added a commit to kubearmor/kubearmor-relay-server that referenced this issue Oct 18, 2023
@daemon1024
hotfix(relay): exclude G402 from gosec scans
d75ef68 
Include it back once we handle kubearmor/KubeArmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to kubearmor/kubearmor-relay-server that referenced this issue Oct 18, 2023
@daemon1024
hotfix(relay): exclude G402 from gosec scans
f566d2c 
Include it back once we handle kubearmor/KubeArmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
9b59f03 
Ref kubearmor#1044

Remove the gosec include once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
654144a 
Ref kubearmor#1044

Remove the gosec exclude once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
7da422a 
Ref kubearmor#1044

Remove the gosec exclude once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
daemon1024 added a commit to daemon1024/KubeArmor that referenced this issue Oct 18, 2023
@daemon1024
chore(gosec): update nosec based on latest gosec
b0dba72 
Ref securego/gosec#1044 (comment)

Remove the gosec exclude once we handle kubearmor#1464

Signed-off-by: daemon1024 <barun1024@gmail.com>
@ShubhamTatvamasi ShubhamTatvamasi moved this from Triage to In Progress in v1.1.0 Release Nov 10, 2023
@rksharma95 rksharma95 mentioned this issue Nov 29, 2023
Merged
7 tasks
@daemon1024 daemon1024 moved this to In Progress in v1.2.0 Release Nov 29, 2023
@daemon1024 daemon1024 removed the status in v1.1.0 Release Nov 29, 2023
@daemon1024
Copy link
Member Author

daemon1024 commented Nov 30, 2023
edited
Loading

  • - Relay should be compatible with both TLS/Insecure KA Connection
  • - All Clients should be compatible with both TLS/Insecure Relay/KA Connections
  • - Keep TLSConfig False till we are sure that no one is going to use older Clients
  • - Clients aren't limited to kArmor but any client which connects to Relay/KubeArmor over gRPC

@nyrahul nyrahul moved this from In Progress to Triage in v1.2.0 Release Jan 2, 2024
@PrimalPimmy PrimalPimmy moved this to Triage in v1.3.0 Release Jan 29, 2024
@DelusionalOptimist DelusionalOptimist moved this from Triage to In Progress in v1.3.0 Release Feb 5, 2024
@rksharma95
Copy link
Collaborator

Overview of changes handled with linked PR:

Configurations

--tlsEnabled: "true/false"
--tlsCertPath: "valid path" , common certificate path where CA, Client/Server cert files are present.
--tlsCertProvider: "self/external", weather client/server certificate are provided (external) or need to be generated dynamically (self).

Certificate Generation:

  • A server or client would be able to create it's own certificate provided the access of the CA certificate and key.
  • At this point KubeArmor daemonset/server generates it's own certificates, the access to the CA will be provided by mounting the CA certificate using the k8s secret in a k8s env.
  • KubeArmor Relay and Karmor doesn't required to create their own certificates. the client certificates will be generated by either operator or helm template and will be stored in a k8s secret.

HL Design Overview

ka-secure-grpc

@github-project-automation github-project-automation bot moved this from In Progress to Done in v1.3.0 Release Feb 21, 2024
@daemon1024 daemon1024 reopened this Feb 21, 2024
@daemon1024
Copy link
Member Author

Reopening till we have client and relay integrations

@daemon1024 daemon1024 moved this from Done to In Progress in v1.3.0 Release Feb 21, 2024
@daemon1024 daemon1024 mentioned this issue Feb 29, 2024
Merged
7 tasks
@daemon1024 daemon1024 moved this from In Progress to Actual Release Blockers in Progress in v1.3.0 Release Mar 4, 2024
@daemon1024 daemon1024 moved this from Actual Release Blockers in Progress to In Progress in v1.3.0 Release Mar 6, 2024
@DelusionalOptimist DelusionalOptimist moved this to In Progress in v1.4.0 Release Mar 19, 2024
@DelusionalOptimist DelusionalOptimist moved this from In Progress to In Review in v1.4.0 Release Mar 22, 2024
@DelusionalOptimist DelusionalOptimist moved this from In Review to In Progress in v1.4.0 Release Mar 28, 2024
@DelusionalOptimist
Copy link
Member

Future action items:

  • Look into using an external CA (cert manager) instead of managing it ourselves and storing it in a k8s secret.

@daemon1024 daemon1024 moved this from In Progress to In Review in v1.4.0 Release Apr 1, 2024
@daemon1024 daemon1024 moved this from In Review to Done in v1.4.0 Release Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rksharma95 rksharma95

Labels
None yet
Projects
v1.4.0 Release
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(gRPC): Implement m-TLS Support using self-signed certificate rksharma95/KubeArmor
3 participants
@daemon1024 @DelusionalOptimist @rksharma95