Good Fences Make Good Neighbors.pdf

《Good Fences Make Good Neighbors.pdf》由会员分享，可在线阅读，更多相关《Good Fences Make Good Neighbors.pdf（21页珍藏版）》请在三个皮匠报告上搜索。

1、Good Fences Make Good NeighborsMaking Cross-Namespace References more secure with ReferenceGrantSpeaker:Nick YoungyoungnickNot this type of NeighboursyoungnickWhat well talk about Namespaces are one of the most important security boundaries in Kubernetes Making references across namespaces is easy t

2、o get wrong Some prior art How Gateway API does cross-namespace references Whats a ReferenceGrant anyway?Next stepsyoungnickKubernetes NamespacesNamespaces are the main way to enclose trust boundaries.Most users control a whole namespace.Sometimes,cross-namespace references would be really handy tho

3、ugh!TLS Secrets you want to use but shouldnt see the values of.Some users want to have ingress config live in one namespace and backends in another.youngnickCross-namespace references are hard!How do you ensure that you can only expose what you should be?The key is that the referent and the referrer

4、 need to agree.youngnickPrior Art-Contours TLSCertificateDelegation Lives next to the secret being delegated Names the secret Has multiple target namespaces Target namespace can be*for all Uses a/in the secretName field in Contours HTTPProxy resource to reference the Secret.Not ideal.youngnickLets d

5、o better in Gateway APIIn Gateway API,were trying to do this right.youngnickGateway API-Gateway and Route bindingyoungnickGateway API-Gateway and Route bindingkind:Gatewaymetadata:name:shared-gw namespace:infra-nsspec:listeners:-name:http hostname: allowedRoutes:namespaces:from:Selector selector:mat

6、chLabels:shared-gateway-access:truekind:Namespacemetadata:name:nsA labels:shared-gateway-access:true-kind:HTTPRoutemetadata:name:HTTPRouteA namespace:nsAspec:parentRefs:-name:shared-gw namespace:infra-ns rules:-backendRefs:-name:home port:8080youngnickGateway API-Gateway and Route bindingGateway and