-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deferred certificate issuance #1315
Comments
This is a cool idea, particularly around the sparse access of humans to production systems. |
I'm not sure this is exactly what you'd want for that property. How to actually get that: |
k8s-workload-register currently registers all workloads against a generic per-cluster node SPIFFE ID. |
That's helpful context @mcpherrinm @azdagron -- having something {de,}register workloads per kubernetes node seems like a more feasible approach. A few things about having the kubernetes integration register workloads that jump out at me:
I'm not entirely sure how to mitigate (1) at a glance, the other two challenges seem like design decision tradeoffs |
#1 seems possible to mitigate by plugging into the Kubernetes Scheduling Framework (https://kubernetes.io/docs/concepts/configuration/scheduling-framework). The "Reserve" and "Unreserve" integration points seem promising. On "reserve", a registration entry could be added. On "unreserve" it could be removed. |
My first impression is that it feels more natural to enable this feature on an agent-by-agent basis, e.g. Do you have cases in which exposing this feature as an agent configurable wouldn't quite cut the mustard?
These two statements feel conflicting? Or, is this an argument for per-entry control? |
I think this is being solved to some extent with #2593. Happy to revisit if needed. |
For some workloads, it might be undesirable to have spire-agents eagerly fetch certificates as soon as they learn about the registration.
Ideally I would like to specify when a registration entry is created via the API that issuance should be deferred until an agent has successfully attested the workload. Then the agent can fetch the certificate. The tradeoff of avoiding issuance seems worthwhile in some scenarios.
Here are two example use-cases:
We provide human users who log into systems SPIFFE credentials so they may perform administrative tasks by calling services or databases. Most of the time humans do not log into systems, so having certificates always ready to go is not needed. It is sufficient to provision them on-demand.
We run many CI jobs in docker containers. Some small fraction of them needs to call other services, so we want to make sure they have the option of getting a SPIFFE identity. I'd like to avoid issuing certificates until they're requested. Since we use short-lived containers for doing builds, there's significant overhead of re-issuing certificates to each build.
The text was updated successfully, but these errors were encountered: