The Bottom Turtle Reference Architecture(s) #5206
Comments
|
For sake of discussion, what could be done with a set of RPI's with some kind of TPM, like: |
|
Kubelet is gaining the ability to refresh server certs, merged but not released yet: client auth can be done via jwt token. No updating of CA's yet though. |
|
Thank you for raising this. I'm currently exploring alongside others the possibilities of using OpenTitan as the silicon root of trust to anchor and bootstrap trust. Although my exploration is ongoing, I'm eager to collaborate and share my findings. |
I'm confused about the focus of the request, as using Raspberry PI TPMs is a deployment detail, not an architecture (at least in my mind). If support for the "Infineon Optiga™ SLB 9670 TPM 2.0" is missing, and a pre-requisite for this effort, please consider handling that missing pre-req in a different issue (and linking the two). |
|
@edwbuck For example, see: They go all the way down to an example of workable hardware in their reference. The general idea being, reference architectures should be implementable. Having a concrete, working example helps test/prove it works. |
|
Thank you, @kfox1111, for raising this issue! I agree that having a documented reference architecture to use SPIRE as the bottom turtle would be great to have. Additionally, providing a concrete, working example that includes all components would be highly beneficial as it ensures reproducibility. I think that it is important, however, to clearly differentiate between example-specific choices and general recommendations. I personally think that this reference should ideally mention alternative options where appropriate and explicitly state what has been tested. From the points mentioned in the description, I believe the first point, 'One or more examples, from the ground up, that can establish the bottom turtle(s) in an internet-disconnected environment,' is probably the most important to start with? If you agree, we could begin by scoping out what this would entail. For instance, should it be purely documentation, or should we include a fully working example with automated steps, etc. It appears that there are several individuals interested in contributing to this effort. Defining the specific environment and components of this first instance of a reference architecture seems to be the first step. |
Yeah, that sounds good to me. I'm thinking purely documentation, at least initially. I'm also thinking something like a RPI for it, or one of the initial examples. They are cheep, and relatively easily obtained for anyone wanting to play with them at home. |
amartinezfayo
added
priority/backlog
|
@amartinezfayo @kfox1111 I attempted to clarify the request by editing this issue; but, as a non-maintainer, I lack the permissions to edit the issue. My clarifications of the request, as well as removal of the confusing "SPIRE is the bottom turtle" commentary, when some aspects of node attestation defer to a bottom turtle of TPM are captured in #5291 I suggest either using that issue to update the text here (closing #5291 , or closing this issue with the transfer of effort to #5291 |
|
TPMs being used for NodeAttestation does not block SPIRE from being the bottom turtle IMO, and isn't the purpose I'm trying to get at. spire-server is the root of the trust with its CA chain for the whole spiffe trust domain. TPMS are just replacing the use of JoinTokens, which I think we can probably agree, are allowed in a bottom turtle architecture. I think TPMS would help make the process easier/smoother, but if we did the first example with join tokens, it would be ok. I think the request in general is still valid. We need documented reference architectures, where the spire-server is not relying on other CA's for the bottom turtle for the spire-server itself. For example, helm installing helm-charts-hardened today, causes a spire-server to be deployed that wont function in the absence of the kubernetes client CA that all the kubelets use, really making that CA one of the bottom turtles. That along with the etcd CA k8s uses for resource storage, which is a second CA that spire-server is really dependent on. I'm interested in examples where, you deploy the spire-server on bare metal, without any CA's involved, establish your SPIRE root CA, and then use that as the root CA for other nodes to form usable clusters/services. If any steps before spire-server deployment involve making a CA/certificate (puppet register, kubeadm join, etc) then I don't think SPIRE is really the bottom turtle. |
amartinezfayo
added
the
unscoped
It should be possible to use SPIRE as the bottom turtle for security. In order to do so, there has to be one or more deploy-able, maintainable, scalable, fault tolerant, and documented SPIRE architectures that do not rely on 3rd party roots of trust as part of establishing that root of trust.
The easiest to use multinode setup currently is the helm charts. The helm chart project has multiple documented reference architectures for SPIRE. But all of them rely on the Kubernetes clusters preestablished control plane/node trust. So SPIRE isn't the bottom turtle in those environments. The K8s CA is.
We need:
One example:
Reasoning: PI 5 over others because it has a RTC and m.2 support. Clock important for cert issuance. m.2 for better write durability. Recommend as much ram as possible. Not for SPIRE, but for future use as memory is not upgradable. Known working:
Other considerations:
The text was updated successfully, but these errors were encountered: