aks-tls-bootstrap

aks-tls-bootstrap

A client/server POC to perform secure bootstrapping of AKS nodes. See PRD for details.

Implements the following options:

• Client is a client-go credential plugin that can be called from bootstrap-kubeconfig
• Server is a service that runs in the CCP and is proxied to via envoy, matching on an ALPN value

To do

• Nonce generation
• IMDS/attested data querying
• Attested data validation
• VM ID validation
• add TLS support
• AAD auth to service (validate against a list of approved IDs somehow)
• ALPN support on the client (used for Envoy routing)
• Cache intermediate certificates so we don't have to retrieve them every time
• Add option to allow root certificates to only be populated from a given directory (pinning) based on this blog post
• Migrate functions to be on server struct struct and move variables there
• Create bootstrap token secret
• Support service principal systems as well as MSI/UAMI systems
• Set up authentication to AAD for system (demo uses cloud-provider's credentials)
• Add webhook to validate CSR requests
• Multi-cloud support (i.e. don't be hardcoded to public cloud)
• Make server image run as non-root user
• Create a script to request and sign a TLS cert for the service name so that we don't have to use the API server certificate

Items to consider

• How to decide if a machine is authorized or not (right now we just look at the identities; how will this work for BYON?)
  • Limit what subscription a machine can be in to join?
  • Some sort of nodepool association via RP?
  • kube-system secret (and -custom) listing allowed identities (this allows customers to create their own list?)
• How will ARM/K8s permissions be handled?