Revision cb6a58bef00b40084392774de0a6bc0602c6daec authored by Marco Iorio on 11 June 2024, 09:43:48 UTC, committed by André Martins on 13 June 2024, 13:01:41 UTC
Currently, the same etcd user (i.e., remote) is granted permissions to read the whole content of the clustermesh-apiserver's sidecar etcd instance, including also the data cached by kvstoremesh, when enabled. In an effort to harden the overall clustermesh posture, let's introduce a separate and dedicated user for local access, to ensure that remote clusters cannot access cached data, as it may include information that they would not normally have access to. Specifically, the remote user is intended to have access only to the information regarding the local cluster, while the local user can access cached data about remote clusters only. Still, for backward compatibility purposes, the remote user still retains access to cached data as well in this release. The reason being that there would otherwise be a time window upon upgrade in which Cilium Agents would lose access to the kvstoremesh data (especially in large clusters). Indeed, the new certificate would be mounted by the agents only upon rollout, but the configuration would be immediately reloaded (thus targeting the new, not yet mounted, certificate), hence breaking the access to the information cached by kvstoremesh. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
1 parent 22bab80
| File | Mode | Size |
|---|---|---|
| .devcontainer | ||
| .github | ||
| .nvim | ||
| .vscode | ||
| Documentation | ||
| api | ||
| bpf | ||
| bugtool | ||
| cilium-dbg | ||
| cilium-health | ||
| clustermesh-apiserver | ||
| contrib | ||
| daemon | ||
| examples | ||
| hack | ||
| hubble | ||
| hubble-relay | ||
| images | ||
| install | ||
| operator | ||
| pkg | ||
| plugins | ||
| test | ||
| tools | ||
| vendor | ||
| .authors.aux | -rw-r--r-- | 416 bytes |
| .clang-format | -rw-r--r-- | 7.6 KB |
| .clomonitor.yml | -rw-r--r-- | 984 bytes |
| .gitattributes | -rw-r--r-- | 887 bytes |
| .gitignore | -rw-r--r-- | 1.8 KB |
| .golangci.yaml | -rw-r--r-- | 4.4 KB |
| .mailmap | -rw-r--r-- | 6.9 KB |
| AUTHORS | -rw-r--r-- | 51.5 KB |
| CODEOWNERS | -rw-r--r-- | 28.2 KB |
| CODE_OF_CONDUCT.md | -rw-r--r-- | 2.2 KB |
| CONTRIBUTING.md | -rw-r--r-- | 691 bytes |
| FURTHER_READINGS.rst | -rw-r--r-- | 6.4 KB |
| LICENSE | -rw-r--r-- | 11.1 KB |
| MAINTAINERS.md | -rw-r--r-- | 4.6 KB |
| Makefile | -rw-r--r-- | 25.3 KB |
| Makefile.defs | -rw-r--r-- | 7.5 KB |
| Makefile.docker | -rw-r--r-- | 7.1 KB |
| Makefile.kind | -rw-r--r-- | 16.8 KB |
| Makefile.quiet | -rw-r--r-- | 818 bytes |
| README.rst | -rw-r--r-- | 19.6 KB |
| SECURITY-INSIGHTS.yml | -rw-r--r-- | 2.1 KB |
| SECURITY.md | -rw-r--r-- | 1.0 KB |
| USERS.md | -rw-r--r-- | 35.0 KB |
| VERSION | -rw-r--r-- | 11 bytes |
| Vagrantfile | -rw-r--r-- | 14.9 KB |
| go.mod | -rw-r--r-- | 13.6 KB |
| go.sum | -rw-r--r-- | 96.9 KB |
| netlify.toml | -rw-r--r-- | 92 bytes |
| stable.txt | -rw-r--r-- | 8 bytes |
| vagrant_box_defaults.rb | -rw-r--r-- | 334 bytes |
Computing file changes ...
