Credentials Rotation
in Kubernetes
Putting Together the Puzzle Pieces 🧩
Rafael Franzke, SAP
Tim Ebert, STACKIT
Setting the Scene
Problem Statement
Each Kubernetes cluster comes with a lot of credentials:
- 🪪 Certificate authorities
- 📝 Server and client certificates
- 🏷️ ServiceAccount tokens
- 🗝️ Static tokens
- 🔐 ETCD encryption key
- 🔑 SSH key pair
Open-Source Project Gardener
- Vanilla, conformant
clusters as a service - Early adopters of "Kubernetes in Kubernetes" model
- Native Kubernetes extension
- Universal Kubernetes at scale
- Started in 2017
Kubernetes as Workload on Kubernetes
Rotation At Scale
Gardener manages thousands of clusters
How to orchestrate credentials rotation at such scale?
Goals: Disruption-free, minimal ops, fully automated
Short-Lived Credentials
ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: robotPods contacting the API server authenticate as part of a ServiceAccount:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: robotProjected Token Mount 🔮
Since Kubernetes v1.22, this results in
spec: serviceAccountName: robot containers: - name: nginx image: nginx volumeMounts: - name: kube-api-access-5f65c mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true volumes: - name: kube-api-access-5f65c projected: sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
spec: serviceAccountName: robot containers: - name: nginx image: nginx volumeMounts: - name: kube-api-access-5f65c mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true volumes: - name: kube-api-access-5f65c projected: sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
spec: serviceAccountName: robot containers: - name: nginx image: nginx volumeMounts: - name: kube-api-access-5f65c mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true volumes: - name: kube-api-access-5f65c projected: sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
TokenRequest API
Projected Token Mount 🔮
Since Kubernetes v1.22, this results in
spec: containers: - name: nginx image: nginx volumeMounts: - name: kube-api-access-5f65c mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true volumes: - name: kube-api-access-5f65c projected: sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
spec: containers: - name: nginx image: nginx volumeMounts: - name: kube-api-access-5f65c mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true volumes: - name: kube-api-access-5f65c projected: sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace
"Magic" Expiration Time 🪄
const ( WarnOnlyBoundTokenExpirationSeconds = 60*60+7 // 3607 ExpirationExtensionSeconds = 24*365*60*60 // 1y ) exp := req.Spec.ExpirationSeconds if pod != nil && r.isKubeAudiences(req.Spec.Audiences) && r.extendExpiration && req.Spec.ExpirationSeconds == WarnOnlyBoundTokenExpirationSeconds { exp = ExpirationExtensionSeconds }
const ( WarnOnlyBoundTokenExpirationSeconds = 60*60+7 // 3607 ExpirationExtensionSeconds = 24*365*60*60 // 1y ) exp := req.Spec.ExpirationSeconds if pod != nil && r.isKubeAudiences(req.Spec.Audiences) && r.extendExpiration && req.Spec.ExpirationSeconds == WarnOnlyBoundTokenExpirationSeconds { exp = ExpirationExtensionSeconds }
const ( WarnOnlyBoundTokenExpirationSeconds = 60*60+7 // 3607 ExpirationExtensionSeconds = 24*365*60*60 // 1y ) exp := req.Spec.ExpirationSeconds if pod != nil && r.isKubeAudiences(req.Spec.Audiences) && r.extendExpiration && req.Spec.ExpirationSeconds == WarnOnlyBoundTokenExpirationSeconds { exp = ExpirationExtensionSeconds }
const ( WarnOnlyBoundTokenExpirationSeconds = 60*60+7 // 3607 ExpirationExtensionSeconds = 24*365*60*60 // 1y ) exp := req.Spec.ExpirationSeconds if pod != nil && r.isKubeAudiences(req.Spec.Audiences) && r.extendExpiration && req.Spec.ExpirationSeconds == WarnOnlyBoundTokenExpirationSeconds { exp = ExpirationExtensionSeconds }
kube-apiserver silently overwrites the expiration seconds 👻 Source
Conclusion
Set
--service-account-extend-token-expiration=falseto ensure tokens are indeed only valid for1hIf you cannot control the flag (e.g., in managed clusters), overwrite the
expirationSecondsto ensure short validity
Static Token Secrets 📜
Before Kubernetes v1.24, a static token Secret was automatically generated for ServiceAccounts:
apiVersion: v1 kind: Secret metadata: name: robot annotations: kubernetes.io/service-account.name: robot kubernetes.io/service-account.uid: da68f9c6-9d26-11e7-b84e-002dc52800da data: ca.crt: <cluster-ca> namespace: default token: <some-static-token>
apiVersion: v1 kind: Secret metadata: name: robot annotations: kubernetes.io/service-account.name: robot kubernetes.io/service-account.uid: da68f9c6-9d26-11e7-b84e-002dc52800da data: ca.crt: <cluster-ca> namespace: default token: <some-static-token>
Such tokens have no expiration date! 😱
KEP-2799: Reduction of Secret-based Service Account Tokens
| Feature | Alpha | Beta | GA |
|---|---|---|---|
| No auto-generation ✅ | - | 1.24 | 1.26 |
| Usage tracking ✅ | 1.26 | 1.27 | 1.28 |
| Auto-cleanup ⚠️ | 1.28 | 1.29 | 1.30 |
Most probably static tokens still exist in your clusters! 👹
Conclusion
If you are on
v1.24or higher, manually delete still remaining static token secretsIf you are stuck below
v1.24, consider invalidating the tokens (talk to us!)
Rotating Static Credentials
Static Credentials 🔐
Solution 💡
Rotation in two phases:
- issue new credentials, accept both old and new
- invalidate old credentials
Server Certificates 🗄
| phase | cert signed by | clients trust |
|---|---|---|
| 0 | old CA | old CA |
| 1 | old CA | old+new CA |
| 2 | new CA | new CA |
Client Certificates 🧑💻
| phase | cert signed by | servers trust |
|---|---|---|
| 0 | old CA | old CA |
| 1 | new CA | old+new CA |
| 2 | new CA | new CA |
Key Elements 🔑
- clients need to refresh their credentials after preparation
- clients trigger completion once ready
- automatic rotation for non-user-facing credentials
Secrets Manager 👔
- our implementation in
- manages all types of credentials
Requesting a Server Cert
Live Coding!
Next Level: Auto-Rotation 🔁
- activated for non-user-facing credentials
- phase 1 triggered when approaching end of validity
- phase 2 triggered 24h later
- fully-automated + disruption-free!
Key Takeaways ✨
Key Takeaways
- use short-lived projected ServiceAccount tokens
- delete remaining static ServiceAccount tokens
Key Takeaways
- rotate static credentials in two phases
- use bundles in between
- implemented for Kubernetes as workload, concept is applicable to most workloads
Questions? 🙋
Slides Available Online:
Thanks 🙌
|
Follow us on Twitter: |
Check out project Gardener: |
Credentials Rotation in Kubernetes Putting Together the Puzzle Pieces 🧩 Rafael Franzke , SAP Tim Ebert , STACKIT