SPIFFE and Envoy to achieve cross-cluster mTLS where every cluster utilizes an independent SPIFFE trust domain #14614
Assignees
Labels
Comments
anvega
added
enhancement
|
Assigned to @lizan for triage. |
|
This makes sense. My idea during my discussion with @anvega is that we:
WDYT? @ggreenway @PiotrSikora @asraa |
|
An extension point for cert validation makes a lot of sense to me. +1 |
lizan
pushed a commit
that referenced
this issue
Mar 3, 2021
…trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves #14614 and #9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
lizan
pushed a commit
to envoyproxy/data-plane-api
that referenced
this issue
Mar 3, 2021
…trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ 50e81276fd8f109ba3a6134e790f65c1cc5bdec9
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this issue
May 7, 2021
cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this issue
May 7, 2021
cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this issue
May 7, 2021
cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
maistra-bot
pushed a commit
to maistra/envoy
that referenced
this issue
May 10, 2021
* Fixes MAISTRA-2324: port of tls: separate out cert validation logic from ContextImpl (#14757) * Fixes MAISTRA-2324: cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: fix flaky integration test of SPIFFE validator (#15301) Previously these tests flake due to early counter check before the counter is actually incremented, and fail occasionally around 1~3%. I tried this with --runs_per_test=10000 and never failed. Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of Add separate SPIFFE integeration test build target. (#15324) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: enable allow_expired_certificate for SPIFFE validator (#15426) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: enable match_subject_alt_names option in SPIFFE validator (#15509) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> Co-authored-by: Takeshi Yoneda <[email protected]>
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this issue
May 19, 2021
* Fixes MAISTRA-2324: port of tls: separate out cert validation logic from ContextImpl (#14757) * Fixes MAISTRA-2324: cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: fix flaky integration test of SPIFFE validator (#15301) Previously these tests flake due to early counter check before the counter is actually incremented, and fail occasionally around 1~3%. I tried this with --runs_per_test=10000 and never failed. Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of Add separate SPIFFE integeration test build target. (#15324) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: enable allow_expired_certificate for SPIFFE validator (#15426) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: enable match_subject_alt_names option in SPIFFE validator (#15509) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> Co-authored-by: Takeshi Yoneda <[email protected]>
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this issue
Aug 11, 2021
cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this issue
Aug 20, 2021
…trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
rexengineering
pushed a commit
to rexengineering/istio-envoy
that referenced
this issue
Oct 15, 2021
…trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title: SPIFFE and Envoy to achieve cross-cluster mTLS where every cluster utilizes an independent SPIFFE trust domain.
Description:
There is a strong desire from the community for the ability to use SPIFFE and Envoy together to achieve a “Federated Identity and Authentication scheme” in which each of multiple cluster manages its own SPIFFE trust domain. This is of particular importance for cross-cluster communication in environments which view clusters as different security and/or administrative domains.
The way SPIFFE validation works involves inspecting the trust domain of a presented SVID, and selecting the correct bundle based on the trust domain name. This allows trust domains to remain fully isolated and prevents one trust domain from minting certificates with identities belonging to another.
Envoy does not currently support this kind of validation today, either via CA pinning, native SPIFFE mTLS support or otherwise. A workaround to this deficiency, is to use SNI as a routing key for incoming TLS sessions. Each cluster uses a dedicated URL for contacting a foreign cluster service, and the foreing cluster's Envoy uses this URL (from the SNI) to determine the appropriate validation context. Taking this approach, it is not possible for a compromised cluster to impersonate workloads in other clusters.
From discussion with @lizan there might be alternate approaches to consider such as implementing validation through an extension.
Relevant Links:
#9284 "Enhance envoy listener TLS to support multiple trust domain"
SPIFFE Trust Domain and Bundle Spec
The text was updated successfully, but these errors were encountered: