[Question] How authenticate the edge devices during cluster join?

[fujitatomoya]

What happened:

According to the OpenYurt architecture, Kubernetes api-server needs to be reachable from edge devices via public network such as internet.
In that case, Kubernetes api-server must be exposed to the public network, this comes to security concern since anyone can access the Kubernetes api-server.

What you expected to happen:

Is there any best practice or solution how to deal with this possible security exposure?
We would like to know that general recommendation or suggestions how we would want to deal wit this.

/kind question

[fujitatomoya]

CC: @Windrow @FengGaoCSC

[rambohe-ch]

@fujitatomoya kube-apiserver only expose https service to the public network, this means only clients have valid certificates can access kube-apiserver. so fake users can not get detail info from cluster.

we also suggest that put a LoadBalancer before kube-apiserver, and configure whitelist or blacklist(like such kind of security rules) on the loadbalancer in order to get rid of security risks.

[fujitatomoya]

@rambohe-ch thanks for your comment, sorry to be late to get back to you i was caught on vacation. we might have more questions in this security aspect, we would like keep this open for a bit. but if nothing comes up for weeks, please go ahead to close this issue.

[rambohe-ch]

@rambohe-ch thanks for your comment, sorry to be late to get back to you i was caught on vacation. we might have more questions in this security aspect, we would like keep this open for a bit. but if nothing comes up for weeks, please go ahead to close this issue.

@fujitatomoya Thanks for your reply.

In addition, would you like to register as an end user of OpenYurt in this issue: #300, and OpenYurt community will get more confidence from users.

[fujitatomoya]

@rambohe-ch will do.

[fujitatomoya]

I think this is application responsibility to secure zero trust connectivity to cluster system. at least, i understand this is out of scope for OpenYurt, so will go ahead to close this. @rambohe-ch thanks for iterating.

[rambohe-ch]

I think this is application responsibility to secure zero trust connectivity to cluster system. at least, i understand this is out of scope for OpenYurt, so will go ahead to close this. @rambohe-ch thanks for iterating.

@fujitatomoya sorry, i'd like to add an idea that how to improve the security of OpenYurt.

1. we will use raven to replace yurt-tunnel in OpenYurt v1.2, and Yurthub on edge nodes can use PodIP of kube-apiserver to access remote kube-apiserver through Raven.
2. then, we can configure multiple addresses of kube-apiserver for Yurthub(like --serveraddr={PodIP:6443},{PublicIP:6443}),PodIP of kube-apiserver can not be accessed before raven component is ready on the node, and Public IP address of kube-apiserver is used for bootstrapping edge node.
3. we can configure --lb-mode=priority for Yurthub, so when bootstrapping edge node, Yurthub will use PublicIP to connect remote kube-apiserver, and when raven component is ready, Yurthub will switch to use PodIP to connect remote kube-apiserver automatically. of course, if VPN that constructed by raven crashed, Yurthub will fall back to Public IP. By the way, this feature has already been supported by Yurthub.

in one word, Yurthub can connect kube-apiserver through tunnels that constructed by raven, and kube-apiserver don't need to be exposed on Public network after node boostrap phase.

[rambohe-ch]

@fujitatomoya I will release OpenYurt v1.2 soon, then we can take a try for above idea.

[fujitatomoya]

in one word, Yurthub can connect kube-apiserver through tunnels that constructed by raven, and kube-apiserver don't need to be exposed on Public network after node boostrap phase.

okay, that makes sense. thanks for sharing the information.