From ca3c93484505d1e0c58369ad736f70e16d9e58f7 Mon Sep 17 00:00:00 2001 From: Jakub Dyszkiewicz Date: Tue, 13 Oct 2020 11:07:42 +0200 Subject: [PATCH 1/3] docs(security) ingress token Signed-off-by: Jakub Dyszkiewicz --- docs/docs/0.7.2/documentation/security.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/docs/0.7.2/documentation/security.md b/docs/docs/0.7.2/documentation/security.md index 0e0545a01..5dac2c9ca 100644 --- a/docs/docs/0.7.2/documentation/security.md +++ b/docs/docs/0.7.2/documentation/security.md @@ -34,7 +34,7 @@ You can generate token either by REST API ```bash curl -XPOST \ -H "Content-Type: application/json" \ - --data '{"name": "dp-echo-1", "mesh": "default", "tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ + --data '{"name": "dp-echo-1", "mesh": "default", "type": "dataplane", tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ http://localhost:5679/tokens ``` @@ -43,6 +43,7 @@ or by using `kumactl` kumactl generate dataplane-token \ --name dp-echo-1 \ --mesh default \ + --type dataplane \ --tag kuma.io/service=backend,backend-admin > /tmp/kuma-dp-echo1-token ``` @@ -64,6 +65,7 @@ As you can see in the example above, you can generate a token by passing name, m * `mesh` + `tag` (ex. `kuma.io/service`). This way you can use one token across all instances of given service. Keep in mind that you have to specify all the values. If you have a Dataplane with 2 inbounds, one with `kuma.io/service: backend` and one with `kuma.io/service: backend-admin`, you need to specify both values (`--tag kuma.io/service=backend,backend-admin`). * `mesh` + `name` + `tag` (ex. `kuma.io/service`). This way you can use one token for one instance of given service. +* `type`. The type can be either `dataplane` (default if not specified) or `ingress`. Ingress Dataplane for multicluster communication requires Ingress token. #### Turn off authentication From 545904ebd9fb4aa867beae5febc3bfdc5831c024 Mon Sep 17 00:00:00 2001 From: Nikolay Nikolaev Date: Tue, 3 Nov 2020 14:34:14 +0200 Subject: [PATCH 2/3] chore(*) move to 0.7.3 Signed-off-by: Nikolay Nikolaev --- docs/docs/0.7.2/documentation/security.md | 4 +-- docs/docs/0.7.3/documentation/security.md | 31 +++++++++++++++++++++-- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/docs/docs/0.7.2/documentation/security.md b/docs/docs/0.7.2/documentation/security.md index 5dac2c9ca..0e0545a01 100644 --- a/docs/docs/0.7.2/documentation/security.md +++ b/docs/docs/0.7.2/documentation/security.md @@ -34,7 +34,7 @@ You can generate token either by REST API ```bash curl -XPOST \ -H "Content-Type: application/json" \ - --data '{"name": "dp-echo-1", "mesh": "default", "type": "dataplane", tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ + --data '{"name": "dp-echo-1", "mesh": "default", "tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ http://localhost:5679/tokens ``` @@ -43,7 +43,6 @@ or by using `kumactl` kumactl generate dataplane-token \ --name dp-echo-1 \ --mesh default \ - --type dataplane \ --tag kuma.io/service=backend,backend-admin > /tmp/kuma-dp-echo1-token ``` @@ -65,7 +64,6 @@ As you can see in the example above, you can generate a token by passing name, m * `mesh` + `tag` (ex. `kuma.io/service`). This way you can use one token across all instances of given service. Keep in mind that you have to specify all the values. If you have a Dataplane with 2 inbounds, one with `kuma.io/service: backend` and one with `kuma.io/service: backend-admin`, you need to specify both values (`--tag kuma.io/service=backend,backend-admin`). * `mesh` + `name` + `tag` (ex. `kuma.io/service`). This way you can use one token for one instance of given service. -* `type`. The type can be either `dataplane` (default if not specified) or `ingress`. Ingress Dataplane for multicluster communication requires Ingress token. #### Turn off authentication diff --git a/docs/docs/0.7.3/documentation/security.md b/docs/docs/0.7.3/documentation/security.md index 69d510a3d..09b3e6a90 100644 --- a/docs/docs/0.7.3/documentation/security.md +++ b/docs/docs/0.7.3/documentation/security.md @@ -46,12 +46,19 @@ the only thing that is stored is a signing key that is used to verify if a token You can generate token either by REST API ```bash -curl -XPOST -H "Content-Type: application/json" --data '{"name": "dp-echo-1", "mesh": "default"}' http://localhost:5679/tokens +curl -XPOST \ + -H "Content-Type: application/json" \ + --data '{"name": "dp-echo-1", "mesh": "default", "type": "dataplane", tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ + http://localhost:5679/tokens ``` or by using `kumactl` ```bash -kumactl generate dataplane-token --name=dp-echo-1 --mesh=default > /tmp/kuma-dp-echo1-token +kumactl generate dataplane-token \ + --name dp-echo-1 \ + --mesh default \ + --type dataplane \ + --tag kuma.io/service=backend,backend-admin > /tmp/kuma-dp-echo1-token ``` The token should be stored in a file and then used when starting `kuma-dp` @@ -63,6 +70,26 @@ $ kuma-dp run \ --dataplane-token-file=/tmp/kuma-dp-echo-1-token ``` +You can also pass Dataplane Token as `KUMA_DATAPLANE_RUNTIME_TOKEN` Environment Variable. + +#### Dataplane Token boundary + +As you can see in the example above, you can generate a token by passing name, mesh, and tags. Control Plane will verify Dataplane against data available in the Token. This means you can generate a token by specifying: +* only `mesh`. This way you can reuse the token for all dataplanes in a given mesh. +* `mesh` + `tag` (ex. `kuma.io/service`). This way you can use one token across all instances of given service. + Keep in mind that you have to specify all the values. If you have a Dataplane with 2 inbounds, one with `kuma.io/service: backend` and one with `kuma.io/service: backend-admin`, you need to specify both values (`--tag kuma.io/service=backend,backend-admin`). +* `mesh` + `name` + `tag` (ex. `kuma.io/service`). This way you can use one token for one instance of given service. +* `type`. The type can be either `dataplane` (default if not specified) or `ingress`. Ingress Dataplane for multicluster communication requires Ingress token. + + +#### Turn off authentication + +You can turn off authentication for testing proposes. Set `KUMA_ADMIN_SERVER_APIS_DATAPLANE_TOKEN_ENABLED` to `false`. + +::: warning +If you turn off authentication, any dataplane can request certificate for any service, therefore this should not be used in a production setup. +::: +:::: #### Accessing Admin Server from a different machine By default, the Admin Server that is serving Dataplane Tokens is exposed only on localhost. If you want to generate tokens from a different machine than control plane you have to secure the connection: From bd627742fcdaf436ba6a8f0acf50498d6b423ce1 Mon Sep 17 00:00:00 2001 From: subnetmarco <88.marco@gmail.com> Date: Mon, 16 Nov 2020 18:46:17 -0800 Subject: [PATCH 3/3] edits --- bin/kumacut/package-lock.json | 390 +++++++++++++++++++++- docs/docs/0.7.3/documentation/security.md | 184 +++++----- 2 files changed, 495 insertions(+), 79 deletions(-) diff --git a/bin/kumacut/package-lock.json b/bin/kumacut/package-lock.json index b1b034791..78480dc4f 100644 --- a/bin/kumacut/package-lock.json +++ b/bin/kumacut/package-lock.json @@ -1,8 +1,396 @@ { "name": "kumacut", "version": "1.0.0", - "lockfileVersion": 1, + "lockfileVersion": 2, "requires": true, + "packages": { + "": { + "version": "1.0.0", + "license": "ISC", + "dependencies": { + "chalk": "^2.4.2", + "commander": "^3.0.2", + "fs-extra": "^8.1.0", + "latest-semver": "^2.0.0", + "path": "^0.12.7", + "replace-in-file": "^4.2.0" + } + }, + "node_modules/ansi-regex": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz", + "integrity": "sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==" + }, + "node_modules/ansi-styles": { + "version": "3.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz", + "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==", + "dependencies": { + "color-convert": "^1.9.0" + } + }, + "node_modules/balanced-match": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz", + "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=" + }, + "node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/camelcase": { + "version": "5.3.1", + "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz", + "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==" + }, + "node_modules/chalk": { + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", + "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==", + "dependencies": { + "ansi-styles": "^3.2.1", + "escape-string-regexp": "^1.0.5", + "supports-color": "^5.3.0" + } + }, + "node_modules/cliui": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-5.0.0.tgz", + "integrity": "sha512-PYeGSEmmHM6zvoef2w8TPzlrnNpXIjTipYK780YswmIP9vjxmd6Y2a3CB2Ks6/AU8NHjZugXvo8w3oWM2qnwXA==", + "dependencies": { + "string-width": "^3.1.0", + "strip-ansi": "^5.2.0", + "wrap-ansi": "^5.1.0" + } + }, + "node_modules/color-convert": { + "version": "1.9.3", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", + "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", + "dependencies": { + "color-name": "1.1.3" + } + }, + "node_modules/color-name": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", + "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=" + }, + "node_modules/commander": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/commander/-/commander-3.0.2.tgz", + "integrity": "sha512-Gar0ASD4BDyKC4hl4DwHqDrmvjoxWKZigVnAbn5H1owvm4CxCPdb0HQDehwNYMJpla5+M2tPmPARzhtYuwpHow==" + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=" + }, + "node_modules/decamelize": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz", + "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=" + }, + "node_modules/emoji-regex": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-7.0.3.tgz", + "integrity": "sha512-CwBLREIQ7LvYFB0WyRvwhq5N5qPhc6PMjD6bYggFlI5YyDgl+0vxq5VHbMOFqLg7hfWzmu8T5Z1QofhmTIhItA==" + }, + "node_modules/escape-string-regexp": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", + "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=" + }, + "node_modules/find-up": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-3.0.0.tgz", + "integrity": "sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==", + "dependencies": { + "locate-path": "^3.0.0" + } + }, + "node_modules/fs-extra": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-8.1.0.tgz", + "integrity": "sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==", + "dependencies": { + "graceful-fs": "^4.2.0", + "jsonfile": "^4.0.0", + "universalify": "^0.1.0" + } + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=" + }, + "node_modules/get-caller-file": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==" + }, + "node_modules/glob": { + "version": "7.1.5", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.5.tgz", + "integrity": "sha512-J9dlskqUXK1OeTOYBEn5s8aMukWMwWfs+rPTn/jn50Ux4MNXVhubL1wu/j2t+H4NVI+cXEcCaYellqaPVGXNqQ==", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.0.4", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + } + }, + "node_modules/graceful-fs": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.3.tgz", + "integrity": "sha512-a30VEBm4PEdx1dRB7MFK7BejejvCvBronbLjht+sHuGYj8PHs7M/5Z+rt5lw551vZ7yfTCj4Vuyy3mSJytDWRQ==" + }, + "node_modules/has-flag": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", + "integrity": "sha1-tdRU3CGZriJWmfNGfloH87lVuv0=" + }, + "node_modules/inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=", + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz", + "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=" + }, + "node_modules/is-fullwidth-code-point": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz", + "integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8=" + }, + "node_modules/jsonfile": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-4.0.0.tgz", + "integrity": "sha1-h3Gq4HmbZAdrdmQPygWPnBDjPss=", + "dependencies": { + "graceful-fs": "^4.1.6" + } + }, + "node_modules/latest-semver": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/latest-semver/-/latest-semver-2.0.0.tgz", + "integrity": "sha512-l8sU7ghgSK6fnaMMsmSkuLz8VWaHFhWFws6Iw6zIJdxTPC9mBsEZ+XW5nNTfNKWZmO4JMbfKIHXtQQjEO9o5Jw==", + "dependencies": { + "to-semver": "^2.0.0" + } + }, + "node_modules/locate-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-3.0.0.tgz", + "integrity": "sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==", + "dependencies": { + "p-locate": "^3.0.0", + "path-exists": "^3.0.0" + } + }, + "node_modules/minimatch": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", + "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "dependencies": { + "brace-expansion": "^1.1.7" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/p-limit": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.2.1.tgz", + "integrity": "sha512-85Tk+90UCVWvbDavCLKPOLC9vvY8OwEX/RtKF+/1OADJMVlFfEHOiMTPVyxg7mk/dKa+ipdHm0OUkTvCpMTuwg==", + "dependencies": { + "p-try": "^2.0.0" + } + }, + "node_modules/p-locate": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-3.0.0.tgz", + "integrity": "sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==", + "dependencies": { + "p-limit": "^2.0.0" + } + }, + "node_modules/p-try": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz", + "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==" + }, + "node_modules/path": { + "version": "0.12.7", + "resolved": "https://registry.npmjs.org/path/-/path-0.12.7.tgz", + "integrity": "sha1-1NwqUGxM4hl+tIHr/NWzbAFAsQ8=", + "dependencies": { + "process": "^0.11.1", + "util": "^0.10.3" + } + }, + "node_modules/path-exists": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-3.0.0.tgz", + "integrity": "sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=" + }, + "node_modules/path-is-absolute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=" + }, + "node_modules/process": { + "version": "0.11.10", + "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz", + "integrity": "sha1-czIwDoQBYb2j5podHZGn1LwW8YI=" + }, + "node_modules/replace-in-file": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/replace-in-file/-/replace-in-file-4.2.0.tgz", + "integrity": "sha512-9PGYDbU8iQF3W5a0Ariaf4KzYjsZSkonCYiZylwMiYOu0w5Bg9IuT4DqNnibA4zGNVxH//F7Hxh1P25TofAHGw==", + "dependencies": { + "chalk": "^2.4.2", + "glob": "^7.1.4", + "yargs": "^13.3.0" + } + }, + "node_modules/require-directory": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", + "integrity": "sha1-jGStX9MNqxyXbiNE/+f3kqam30I=" + }, + "node_modules/require-main-filename": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz", + "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==" + }, + "node_modules/semver": { + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz", + "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==" + }, + "node_modules/set-blocking": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", + "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=" + }, + "node_modules/string-width": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-3.1.0.tgz", + "integrity": "sha512-vafcv6KjVZKSgz06oM/H6GDBrAtz8vdhQakGjFIvNrHA6y3HCF1CInLy+QLq8dTJPQ1b+KDUqDFctkdRW44e1w==", + "dependencies": { + "emoji-regex": "^7.0.1", + "is-fullwidth-code-point": "^2.0.0", + "strip-ansi": "^5.1.0" + } + }, + "node_modules/strip-ansi": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz", + "integrity": "sha512-DuRs1gKbBqsMKIZlrffwlug8MHkcnpjs5VPmL1PAh+mA30U0DTotfDZ0d2UUsXpPmPmMMJ6W773MaA3J+lbiWA==", + "dependencies": { + "ansi-regex": "^4.1.0" + } + }, + "node_modules/supports-color": { + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", + "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", + "dependencies": { + "has-flag": "^3.0.0" + } + }, + "node_modules/to-semver": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/to-semver/-/to-semver-2.0.0.tgz", + "integrity": "sha512-ZQbSDYCfuF4weayoQBoLOiLPMNiD/v1VTK05DQKelpWTBa2gYEIVQnLvPQLnC+/TzKqasuE90ma6jSoLry9BDA==", + "dependencies": { + "semver": "^6.0.0" + } + }, + "node_modules/universalify": { + "version": "0.1.2", + "resolved": "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz", + "integrity": "sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==" + }, + "node_modules/util": { + "version": "0.10.4", + "resolved": "https://registry.npmjs.org/util/-/util-0.10.4.tgz", + "integrity": "sha512-0Pm9hTQ3se5ll1XihRic3FDIku70C+iHUdT/W926rSgHV5QgXsYbKZN8MSC3tJtSkhuROzvsQjAaFENRXr+19A==", + "dependencies": { + "inherits": "2.0.3" + } + }, + "node_modules/which-module": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.0.tgz", + "integrity": "sha1-2e8H3Od7mQK4o6j6SzHD4/fm6Ho=" + }, + "node_modules/wrap-ansi": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-5.1.0.tgz", + "integrity": "sha512-QC1/iN/2/RPVJ5jYK8BGttj5z83LmSKmvbvrXPNCLZSEb32KKVDJDl/MOt2N01qU2H/FkzEa9PKto1BqDjtd7Q==", + "dependencies": { + "ansi-styles": "^3.2.0", + "string-width": "^3.0.0", + "strip-ansi": "^5.0.0" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" + }, + "node_modules/y18n": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz", + "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==" + }, + "node_modules/yargs": { + "version": "13.3.0", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-13.3.0.tgz", + "integrity": "sha512-2eehun/8ALW8TLoIl7MVaRUrg+yCnenu8B4kBlRxj3GJGDKU1Og7sMXPNm1BYyM1DOJmTZ4YeN/Nwxv+8XJsUA==", + "dependencies": { + "cliui": "^5.0.0", + "find-up": "^3.0.0", + "get-caller-file": "^2.0.1", + "require-directory": "^2.1.1", + "require-main-filename": "^2.0.0", + "set-blocking": "^2.0.0", + "string-width": "^3.0.0", + "which-module": "^2.0.0", + "y18n": "^4.0.0", + "yargs-parser": "^13.1.1" + } + }, + "node_modules/yargs-parser": { + "version": "13.1.2", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz", + "integrity": "sha512-3lbsNRf/j+A4QuSZfDRA7HRSfWrzO0YjqTJd5kjAq37Zep1CEgaYmrH9Q3GwPiB9cHyd1Y1UwggGhJGoxipbzg==", + "dependencies": { + "camelcase": "^5.0.0", + "decamelize": "^1.2.0" + } + } + }, "dependencies": { "ansi-regex": { "version": "4.1.0", diff --git a/docs/docs/0.7.3/documentation/security.md b/docs/docs/0.7.3/documentation/security.md index 09b3e6a90..992131203 100644 --- a/docs/docs/0.7.3/documentation/security.md +++ b/docs/docs/0.7.3/documentation/security.md @@ -1,58 +1,55 @@ # Security -Kuma helps you secure your existing infrastructure with mTLS. The following sections cover details of how it works. +This section addresses the certificate generation in Kuma across the following use-cases: + +1. Security between our services, via the [mTLS policy](/docs/0.7.3/policies/mutual-tls/). +2. Security between the Kuma control plane and its data plane proxies, via the data plane proxy token. +3. Security when accessing the control plane. + +:::tip +This section is not to be confused with the [mTLS policy](/docs/0.7.3/policies/mutual-tls/) that we can apply to a [Mesh](/docs/0.7.3/policies/mesh/) to secure service-to-service traffic. +::: ## Certificates -Kuma uses a built-in CA (Certificate Authority) to issue certificates for dataplanes. The root CA certificate is unique for each mesh -in the system. On Kubernetes, the root CA certificate is stored as a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/). -On Universal, we leverage the same storage (Postgres) that is used for storing policies. -Certificates for dataplanes are ephemeral, re-created on dataplane restart and never persisted on disk. - -Dataplane certificates generated by Kuma are X.509 certificates that are [SPIFFE](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md) compliant. The SAN of certificate is set to `spiffe:///` - -Kuma also supports external CA. By changing the `ca` in the mesh resource to `provided`, you can use a CA of your choice. -```yaml -type: Mesh -name: default -mtls: - enabledBackend: ca-1 - backends: - - name: ca-1 - type: provided - config: - cert: - secret: path-to-secret - key: - secret: path-to-secret -``` -To manage external CAs after you update the mesh resource, `kumactl` now supports a new command: `kumactl manage ca`. With this new command, you can do add and delete certificates. +In Kuma, any TLS certificate that is being issued by the control plane must have a CA (Certificate Authority) that can be either auto-generated by Kuma via a `builtin` backend, or can be initialized with a customer certificate and key via a `provided` backend. -For further details refer to [Mutual TLS](../../policies/mutual-tls) policy. +:::tip +Third-party extensions, cloud implementations or [commercial offerings](/enterprise) may be extending the CA backend support. +::: + +For both `builtin` and `provided` CA backends, on Kubernetes the root CA certificate is stored as a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/), while on Universal Kuma leverages the same underlying storage backend that is used for storing policies. + +:::tip +When the [mTLS policy](/docs/0.7.3/policies/mutual-tls/) is enabled, data plane proxy certificates are ephemeral: thet are re-created on every data plane proxy restart and never persisted on disk. +::: -## Dataplane Token +Data plane proxy certificates generated by Kuma are X.509 certificates that are [SPIFFE](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md) compliant. The SAN of the certificates is set to `spiffe:///`. -In order to obtain an mTLS certificate from the server ([SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) built-in in the control plane), a dataplane must prove it's identity. +## Data plane proxy token + +The data plane proxy token comes into play when it comes to security the communication between the data plane proxies and the control plane, that is between `kuma-dp` (including `envoy`) and `kuma-cp`. + +In order to obtain an mTLS certificate from the server ([SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) built-in in the control plane), a data plane proxy must first prove its identity. ### Kubernetes -On Kubernetes, a dataplane proves its identity by leveraging [ServiceAccountToken](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-automation) that is mounted in every pod. + +On Kubernetes, a data plane proxy proves its identity by leveraging the [ServiceAccountToken](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#service-account-automation) that is mounted in every pod. ### Universal -On Universal, a dataplane must be explicitly configured with a unique security token (Dataplane Token) that will be used to prove its identity. -Dataplane Token is a signed [JWT token](https://jwt.io) that the carries dataplane name and name of the mesh it's allowed to join to. -It is signed by an RSA key auto-generated by the control plane on first run. Tokens are not stored in the control plane, -the only thing that is stored is a signing key that is used to verify if a token is valid. +On Universal, a data plane proxy must be explicitly configured with a unique security token (data plane proxy token) that will be used to prove its identity. The data plane proxy token is a signed [JWT token](https://jwt.io) that carries the data plane proxy name and name of the mesh that it belongs to. -You can generate token either by REST API -```bash -curl -XPOST \ - -H "Content-Type: application/json" \ - --data '{"name": "dp-echo-1", "mesh": "default", "type": "dataplane", tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ - http://localhost:5679/tokens -``` +It is signed by an RSA key auto-generated by the control plane on first run. Tokens are never stored in the control plane, +the only thing that is stored is a signing key that is used to verify if a token is valid. + +We can generate a token using the following methods: + +:::: tabs :options="{ useUrlFragment: false }" +::: tab "kumactl" + +We can generate a data plane proxy token using Kuma's CLI: -or by using `kumactl` ```bash kumactl generate dataplane-token \ --name dp-echo-1 \ @@ -61,7 +58,23 @@ kumactl generate dataplane-token \ --tag kuma.io/service=backend,backend-admin > /tmp/kuma-dp-echo1-token ``` -The token should be stored in a file and then used when starting `kuma-dp` +::: +::: tab "HTTP API" + +We can generate a token by making `POST` request to `:5679/tokens` on the control plane, like: + +```bash +curl -XPOST \ + -H "Content-Type: application/json" \ + --data '{"name": "dp-echo-1", "mesh": "default", "type": "dataplane", tags": {"kuma.io/service": ["backend", "backend-admin"]}}' \ + http://control-plane:5679/tokens +``` + +::: +:::: + +The data plane proxy token should be stored in a file and then used when starting `kuma-dp`: + ```bash $ kuma-dp run \ --name=dp-echo-1 \ @@ -70,44 +83,57 @@ $ kuma-dp run \ --dataplane-token-file=/tmp/kuma-dp-echo-1-token ``` -You can also pass Dataplane Token as `KUMA_DATAPLANE_RUNTIME_TOKEN` Environment Variable. +We can also pass the data plane proxy token as `KUMA_DATAPLANE_RUNTIME_TOKEN` environment variable. -#### Dataplane Token boundary +#### Data Plane Proxy Token boundary -As you can see in the example above, you can generate a token by passing name, mesh, and tags. Control Plane will verify Dataplane against data available in the Token. This means you can generate a token by specifying: -* only `mesh`. This way you can reuse the token for all dataplanes in a given mesh. -* `mesh` + `tag` (ex. `kuma.io/service`). This way you can use one token across all instances of given service. - Keep in mind that you have to specify all the values. If you have a Dataplane with 2 inbounds, one with `kuma.io/service: backend` and one with `kuma.io/service: backend-admin`, you need to specify both values (`--tag kuma.io/service=backend,backend-admin`). -* `mesh` + `name` + `tag` (ex. `kuma.io/service`). This way you can use one token for one instance of given service. -* `type`. The type can be either `dataplane` (default if not specified) or `ingress`. Ingress Dataplane for multicluster communication requires Ingress token. +As we can see in the example above, we can generate a token by passing a `name`, `mesh`, and a list of tags. The control plane will then verify the data plane proxy resources that are connecting to it against the token. This means we can generate a token by specifying: +* Only `mesh`. By doing so we can reuse the token for all dataplanes in a given mesh. +* `mesh` + `tag` (ex. `kuma.io/service`). This way we can use one token across all instances/replicas of the given service. Please keep in mind that we have to specify to include all the services that a data plane proxy is in charge of. For example, if we have a Dataplane with two inbounds, one valued with `kuma.io/service: backend` and one with `kuma.io/service: backend-admin`, we need to specify both values (`--tag kuma.io/service=backend,backend-admin`). +* `mesh` + `name` + `tag` (ex. `kuma.io/service`). This way we can use one token for one instance/replicate of the given service. +* `type`. The type can be either `dataplane` (default if not specified) or `ingress`. An [ingress data plane proxy](/docs/0.7.3/documentation/dps-and-data-model/#dataplane-specification) in a [multi-zone deployment](/docs/0.7.3/documentation/deployments/) requires an ingress token. -#### Turn off authentication +#### Disabling Data Plane Proxy Token -You can turn off authentication for testing proposes. Set `KUMA_ADMIN_SERVER_APIS_DATAPLANE_TOKEN_ENABLED` to `false`. +We can disable the security between the control plane and its data plane proxies by setting `KUMA_ADMIN_SERVER_APIS_DATAPLANE_TOKEN_ENABLED` to `false`. ::: warning -If you turn off authentication, any dataplane can request certificate for any service, therefore this should not be used in a production setup. +If we disable the security between the control plane and the data plane proxies, any data plane proxy will be able to impersonate any service, therefore this is not recommended in production. ::: -:::: + #### Accessing Admin Server from a different machine -By default, the Admin Server that is serving Dataplane Tokens is exposed only on localhost. If you want to generate tokens from a different machine than control plane you have to secure the connection: -1) Enable public server by setting `KUMA_ADMIN_SERVER_PUBLIC_ENABLED` to `true`. Make sure to specify hostname which can be used to access Kuma from other machine via `KUMA_GENERAL_ADVERTISED_HOSTNAME`. -2) Generate certificate for the HTTPS Admin Server and set via `KUMA_ADMIN_SERVER_PUBLIC_TLS_CERT_FILE` and `KUMA_ADMIN_SERVER_PUBLIC_TLS_KEY_FILE` config environment variable. - For generating self signed certificate you can use `kumactl` -```bash -$ kumactl generate tls-certificate --cert-file=/path/to/cert --key-file=/path/to/key --type=server --cp-hostname= +By default, the Admin Server that is serving the data plane proxy tokens is exposed only on `localhost`. To generate tokens from a different machine than the one where the control plane is running (`kuma-cp`) we must first secure our connections: + +1) Enable `kuma-cp` to accept requests from third party clients by setting `KUMA_ADMIN_SERVER_PUBLIC_ENABLED` to `true`. Please make sure to specify on what hostname we will make Kuma accessile to 3rd parties by setting the `KUMA_GENERAL_ADVERTISED_HOSTNAME` environment variable. +2) Generate a certificate for the HTTPS Admin Server and pass it to Kuma via the `KUMA_ADMIN_SERVER_PUBLIC_TLS_CERT_FILE` and `KUMA_ADMIN_SERVER_PUBLIC_TLS_KEY_FILE` config environment variables. + +To generate a self-signed certificate we can use `kumactl`: + +```sh +$ kumactl generate tls-certificate \ + --cert-file=/path/to/cert \ + --key-file=/path/to/key \ + --type=server \ + --cp-hostname= ``` -3) Pick a public interface on which HTTPS server will be exposed and set it via `KUMA_ADMIN_SERVER_PUBLIC_INTERFACE`. - Optionally pick the port via `KUMA_ADMIN_SERVER_PUBLIC_PORT`. By default, it will be the same as the port for the HTTP server exposed on localhost. -4) Generate one or more certificates for the clients of this server. Pass the path to the directory with client certificates (without keys) via `KUMA_ADMIN_SERVER_PUBLIC_CLIENT_CERTS_DIR`. - For generating self signed client certificates you can use `kumactl` -```bash -$ kumactl generate tls-certificate --cert-file=/path/to/cert --key-file=/path/to/key --type=client + +3) Pick a public interface on which the HTTPS server will listen to, and set it via `KUMA_ADMIN_SERVER_PUBLIC_INTERFACE`. Optionally we can select the port via the `KUMA_ADMIN_SERVER_PUBLIC_PORT` environment variable. By default, it will be the same port as the one for the HTTP server exposed on `localhost`. +4) Generate one or more certificates for the clients that will access the control plane server. Then pass the path of the directory with the client certificates (without keys) via the `KUMA_ADMIN_SERVER_PUBLIC_CLIENT_CERTS_DIR` env variable. + +For generating self signed client certificates we can use `kumactl`: + +```sh +$ kumactl generate tls-certificate \ + --cert-file=/path/to/cert \ + --key-file=/path/to/key \ + --type=client ``` -5) Configure `kumactl` with client certificate. -```bash + +5) Configure `kumactl` with a valid client certificate: + +```sh $ kumactl config control-planes add \ --name --address http://:5681 \ --admin-client-cert \ @@ -116,32 +142,34 @@ $ kumactl config control-planes add \ ## mTLS -Once a dataplane has proved its identity, it will be allowed to fetch its own identity certificate and a root CA certificate of the mesh. -When establishing a connection between two dataplanes each side validates each other dataplane certificate confirming the identity using the root CA of the mesh. +Once a data plane proxy has proved its identity, it will be allowed to fetch its own identity certificate and a root CA certificate of the mesh it belongs to. When establishing a connection between two dataplanes each side validates each other dataplane certificate confirming the identity using the root CA of the mesh. mTLS is _not_ enabled by default. To enable it, apply proper settings in [Mesh](../../policies/mesh) policy. -Additionally, when running on Universal you have to ensure that every dataplane in the mesh has been configured with a Dataplane Token. +Additionally, when running on Universal we have to ensure that every dataplane in the mesh has been configured with a Dataplane Token. ### TrafficPermission -When mTLS is enabled, every connection between dataplanes is denied by default, so you have to explicitly allow it using [TrafficPermission](../../policies/traffic-permissions). + +When mTLS is enabled, every connection between dataplanes is denied by default, so we have to explicitly allow it using [TrafficPermission](../../policies/traffic-permissions). ## Postgres -Since on Universal, the secrets such as "provided" CA's private key, are stored in Postgres, a connection between Postgres and Kuma CP should be secured with TLS. -To secure the connection, first pick the security mode using `KUMA_STORE_POSTGRES_TLS_MODE`. There are several modes: +Since on Universal secrets such as `provided` CA's private key are stored in Postgres, a connection between Postgres and Kuma CP should be secured with TLS. + +To secure the connection, we first need to pick the security mode using `KUMA_STORE_POSTGRES_TLS_MODE`. There are several modes: + * `disable` - is not secured with TLS (secrets will be transmitted over network in plain text). * `verifyNone` - the connection is secured but neither hostname, nor by which CA the certificate is signed is checked. * `verifyCa` - the connection is secured and the certificate presented by the server is verified using the provided CA. * `verifyFull` - the connection is secured, certificate presented by the server is verified using the provided CA and server hostname must match the one in the certificate. -The CA for verification server's certificate can be set using `KUMA_STORE_POSTGRES_TLS_CA_PATH`. +The CA used to verify the server's certificate can be set using the `KUMA_STORE_POSTGRES_TLS_CA_PATH` environment variable. + +After configuring the above security settings in Kuma, we also have to configure Postgres' [`pg_hba.conf`](https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html) file to restrict unsecured connections. -Once secured connections are configured in Kuma CP, you have to configure Postgres' [`pg_hba.conf`](https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html) file to restrict unsecured connections. Here is an example configuration that will allow only TLS connections and will require username and password: ``` # TYPE DATABASE USER ADDRESS METHOD hostssl all all 0.0.0.0/0 password ``` - -You can also provide client key and certificate for mTLS using `KUMA_STORE_POSTGRES_TLS_CERT_PATH` and `KUMA_STORE_POSTGRES_TLS_KEY_PATH`. -This pair can be used for auth-method `cert` described [here](https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html). + +We can also provide a client key and certificate for mTLS using the `KUMA_STORE_POSTGRES_TLS_CERT_PATH` and `KUMA_STORE_POSTGRES_TLS_KEY_PATH` variables. This pair can be used in conjunction with the `cert` auth-method described [here](https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html).