Uploaded image for project: 'Network Edge'
  1. Network Edge
  2. NE-1112

[GWAPI-TP] Develop a security model for tech preview

    XMLWordPrintable

Details

    • Epic
    • Resolution: Unresolved
    • Critical
    • None
    • None
    • None
    • Develop a Security Model
    • 8
    • False
    • None
    • False
    • To Do
    • OCPSTRAT-247 - Gateway API using Istio for Cluster Ingress - Tech Preview
    • OCPSTRAT-247Gateway API using Istio for Cluster Ingress - Tech Preview
    • 0
    • 0% 0%
    • 0
    • 0.0

    Description

      Develop an initial security model, including any RBAC we need, as we uncover customer requirements.

      • Determine in which namespaces admins may create Gateways, at a minimum
      • Which namespaces are allowed by default
      • Which roles are allowed to do which operations (get, create, delete, etc) on which objects (gatewayclass, gateway, xRoute etc)
      • Do we want Istio  to watch all namespace and rely on RBAC to control who can create what.
      • Does istio-operator configure RBAC

      See https://issues.redhat.com/browse/OSSM-2221 and answer the question about whether it's ok to inject pods into the control plane namespace. 

      Deliverables:

      • the default RBAC policy
      • document outcomes on the open questions below, and customizations allowed by the user

      Open Questions

      • Do we allow project admins (or other users) to create Gateway objects in arbitrary namespaces?
        • Pro: The only way to configure custom certificates is to do so on the Gateway.
        • Con: Complicates the security model. 
          • To do: Research listener collapsing (NE-1000)
          • To do: Research Istio's conflict resolution.
        • Con: Increases the attack surface.
          • To do: Research whether users are restricted from modifying automatic deployments or reading certificates etc. that Istio injects, and what kind of attack surface these automatic deployments add. 
          • To do: Research whether users are allowed to create LoadBalancer-type services by default (how did we restrict this on OpenShift Starter/Online?). 
          • To do: Research how Service Mesh dealt with PodSecurityConstraints, and whether the existing solution is sufficient for automatic deployments in arbitrary namespaces. 
        • Con: Complicates DNS management.
          • Maybe not really an issue—if the project admin wants a DNS record for a custom domain, then OpenShift cannot create the DNS record anyway since OpenShift doesn't own the hosted zone.
          • Possible solution: Allow automatic deployments, but only manage DNS for Gateways in the openshift-ingress namespace. 

      Attachments

        Issue Links

          is related to

          Spike - Represents a research-related task. NE-999 Understand Istio operator interactions with Istio Gateway

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • To Do
          relates to

          Spike - Represents a research-related task. NE-1000 Understand Gateway API listener collapsing and how Istio Gateway implements

          • Critical - To be worked on immediately following BLOCKER issues.
          • To Do

          Activity

            People

              Unassigned Unassigned
              cholman@redhat.com Candace Holman
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: