GEP 91: Update API #3881
GEP 91: Update API #3881
Conversation
Relates to kubernetes-sigs#3760 (comment) Signed-off-by: Arko Dasgupta <[email protected]>
k8s-ci-robot
added
the
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: arkodg The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
do-not-merge/hold
k8s-ci-robot
added
the
do-not-merge/work-in-progress
| @@ -570,6 +577,8 @@ type GatewayTLSConfig struct { | |||
| // that requests a user to specify the client certificate. | |||
| // The maximum depth of a certificate chain accepted in verification is Implementation specific. | |||
| // | |||
| // Setting any field will override the equivalent field setting that was applied at the Gateway level. | |||
There was a problem hiding this comment.
I have a couple of comments:
- Regarding "Setting any fields": The current phrasing implies merging the Frontend Validation struct from both gateway and listener levels. Given that this struct contains fields whose values depend on each other, I propose allowing overrides at the struct level. Therefore, I would change the line to "Setting this field."
- Regarding overriding Frontend validation config on the listener level: This does not resolve the HTTP Coalescing issue. To address this, we should restrict listener overrides. Two potential approaches are:
a) Restrict the use of the same TLS config for listeners sharing the same port.
b) Allow overrides only for listeners without a hostname set. We can extend this solution with a mechanism to inherit the config for all listeners with the same port from the parent (which is a listener without hostname set). This would provide clear signals to customers about the coalescing issue.
Let me know what you think about this proposal.
There was a problem hiding this comment.
for 1. there's a case where you may want to configure the CACert at the Gateway level, but update the mode at the Listener level, which is why i phrased it this way.
- https://gateway-api.sigs.k8s.io/geps/gep-3567/ takes a more lenient approach and proposes adding a
OverlappingTLSConfigcondition, imo we should do the same here, either piggyback off that condition or highlight via a new condition
There was a problem hiding this comment.
@youngnick ccing you here for 1. remember you bringing up this use case for per field overrides during the meeting in kubecon
@robscott ccing you here for 2. and to get some guidance on whether we want to use the same status condition or add an extra one
There was a problem hiding this comment.
rethinking for this case, this should affect the overlapping listeners and set Listener Accepted condition to False, with a ClientCertificateVerificationBypassed reason or something similar, wdyt ?
| @@ -636,10 +662,47 @@ type FrontendTLSValidation struct { | |||
| // "RefNotPermitted" reason. | |||
| // | |||
| // +kubebuilder:validation:MaxItems=8 | |||
| // +kubebuilder:validation:MinItems=1 | |||
| // +kubebuilder:validation:MinItems=0 | |||
There was a problem hiding this comment.
Can you elaborate why this change is needed? What is the use case not to pass any certificates?
From our customers we can see that there is a need to pass one or more certificates and to differentiate between trust anchors and allowlisted certificates. Since Allowlisted certificates are not technically CA certificates we can either rename existing field or introduce a new field for allowlisted certificates then sending an empty list of CAcertificates makes sense to me.
Also we should update the “Support: Core” line to reflect those changes.
There was a problem hiding this comment.
this is for the case when the CA cert is applied at the gateway level, and a mode is applied at the listener level
There was a problem hiding this comment.
relates to #3881 (comment)
geps/gep-91/index.md
Outdated
| @@ -27,7 +27,9 @@ This use case has been highlighted in the [TLS Configuration GEP][] under segmen | |||
| * This new field is separate from the existing [BackendTLSPolicy][] configuration. [BackendTLSPolicy][] controls TLS certificate validation for connections *from* the | |||
| Gateway to the backend service. This proposal adds the ability to validate the TLS certificate presented by the *client* connecting to the Gateway (the | |||
| frontend). These two validation mechanisms operate independently and can be used simultaneously. | |||
| * Also introduce a `ObjectReference` structure that can be used to specify `caCertificateRefs` references. | |||
| * Introduce a `ObjectReference` structure that can be used to specify `caCertificateRefs` references. | |||
| * Add `frontendValidation` to | |||
| // GatewayTLSConfig describes a TLS configuration that can be applied to a Gateway. | ||
| type GatewayTLSConfig struct { | ||
| // FrontendValidation holds configuration information for validating the frontend (client). | ||
| // Setting this field will require clients to send a client certificate |
There was a problem hiding this comment.
This line is inconsistent with struct changes. Please see my comment about certificates arrey.
| * Also introduce a `ObjectReference` structure that can be used to specify `caCertificateRefs` references. | ||
| * Introduce a `ObjectReference` structure that can be used to specify `caCertificateRefs` references. | ||
| * Add `frontendValidation` to | ||
| * Introduce a `tls` field within the Gateway Spec to allow for a common TLS configuration to apply across all listeners. |
There was a problem hiding this comment.
Please include information that “the newly introduced struct currently contains only client certificate validation configuration, but may be extended in the future."
| // that requests a user to specify the client certificate. | ||
| // The maximum depth of a certificate chain accepted in verification is Implementation specific. | ||
| // | ||
| // Each field may be overidden by an equivalent setting applied at the Listener level. |
There was a problem hiding this comment.
I don't get why we feel the need to have a Gateway level setting here.
Why not allow every setting in Listener at the top level? FrontendValidation doesn't seem unique at all. If anything, it seems less likely to be common across listeners.
There was a problem hiding this comment.
Ah I see its for Add a top level field for frontendValidation to avoid the auth bypass that may occur with HTTP/2 connection coalescing highlighted in https://gateway-api.sigs.k8s.io/geps/gep-3567/#interaction-with-client-cert-validation'. Given you can override it at the listener level, we didn't actually solve this problem...
IMO this is better solved with status or external validation. We can ship a sample Validation Admission Policy to deny inconsistent config between listeners, for example
There was a problem hiding this comment.
Yeah, Moving the frontend validation configuration to gateway was intended to resolve the HTTP coalescing issue. However, this may not be necessary if we can provide users with clear guidelines for configuring TLS settings for listeners.
What do you think about allowing overrides only for listeners without a hostname set? This would enable all listeners on the same port (regardless of hostname) to inherit the configuration, thus resolving the coalescing issue while keeping TLS settings at the listener level.
Signed-off-by: Arko Dasgupta <[email protected]>
k8s-ci-robot
added
size/L
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
Signed-off-by: Arko Dasgupta <[email protected]>
|
@arkodg: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| // presented during the handshake and validated | ||
| // using CA certificates defined in CACertificateRefs. | ||
| // | ||
| // Defaults to RequireAndVerify. |
There was a problem hiding this comment.
In previous comments we discussed 3 options for cert validation:
- AllowInvalid
- AllowMissing
- RequireValid
In the current proposal the validation settings are too granular, looking at the fact that they are in Core support.
IMO we could merge Missing and Invalid into 1 option because in both cases request validation is moved to backend.
There was a problem hiding this comment.
this eliminates VerifyIfGiven
There was a problem hiding this comment.
yes, because I don't understand what would be the use case for all 4 ceses here.
Why do you want a case where the server doesn't require a certificate but if the client provides the certificate then it needs to be valid?
From our customers we can see that they need 2 usecases:
Require and validate the certificate
Allow for invalid and missing certificates
There are only two use cases because, in the second case, whether the certificate is missing or invalid is irrelevant; this scenario necessitates an additional validation at the backend level. Can you provide more context on Use Cases for all listed values?
|
hey @candita @shaneutt here's a summary of the discussion from today's meeting I'm referring to the proposal in this PR as Proposal 1 and @kl52752's proposal as Proposal 2 TLDR
|
| // | ||
| // +optional | ||
| // +kubebuilder:default=RequireAndVerify | ||
| Mode *FrontendValidationModeType `json:"mode,omitempty"` |
There was a problem hiding this comment.
Mode is a bad name for this concept. Can you make it more specific? ValidationMode or ValidationPrecision?
There was a problem hiding this comment.
tls.frontendValidation.validationMode repeats validation twice
There was a problem hiding this comment.
It occurs to me that multiple in-use versions of Gateway API will be affected for some time, and so there may be a "long tail" kind of situation here with implementations lagging behind for potentially a year or more?
As such, should we consider expanding our documentation to better describe this problem, and better warn implementations as an immediate first step prior to the proposal and changes?
|
Thanks to @arkodg and @kl52752 for the great summary of the options we have here! IMO, this is one of the highest risk areas of Gateway API. If we're not very careful, implementations will expose vulnerabilities when trying to implement this part of the API. With that in mind, my strong preference is for "Proposal 2" as described above. Essentially, the only way to safely implement proposal 1 is to require implementations to inspect each cert, keep track of the SANs, and ensure that client cert validation is always consistent across listeners that have certs with overlapping SANs. I'd strongly prefer avoiding requiring implementations to inspect individual certs like this, and I'm very nervous about the wide number of ways an implementation could get proposal 1 wrong and lead to some painful CVEs. Although proposal 2 offers a less powerful API, it is far safer, and does not prevent us from adding further granularity in the future if needed. So my vote here would be strongly in favor of proposal 2. Open to what others think here. |
|
I also vote for proposal 2 here, and am happy to LGTM something that adds that (I suspect this will all happen overnight while I am asleep). |
Relates to #3760 (comment)
What type of PR is this?
Does this PR introduce a user-facing change?: