KEP-4317: (Pod Certificates) Update for beta

[ahmedtd]

Update KEP-4317 for beta.

Concrete changes:

• Add a config field to PodCertificateRequests and PodCertificateProjection as discussed in SIG-Auth.
• Specify metrics that should be exported by kube-apiserver and kubelet.
• Answer other beta questions in the KEP template

• Issue link: Pod Certificates #4317

[stlaz]

I wonder if we should just add this to a new story, something like this:

#### Story 2

I am a cluster owner. I would like to run a service in mu cluster and force it to use mTLS
for server/client authentication. I expect other applications in my cluster to be communicating
with my service. I want the cluster to provide a simple, yet secure way for these applications to
request client certificates that they can use to authenticate to the new service.

Several example signers built on the alpha feature set are available in the
[mesh-examples repository](https://github.com/ahmedtd/mesh-example).

[RafPe]

I would say if we would be able to reference signers already pre-existing would be possible easier for people to adopt it and give examples on writing their own if required

[stlaz]

should we have something in sigs.k8s.io eventually?

[ahmedtd]

I think that makes sense, but we would probably have to commit to maintaining them until they are upstreamed.

[enj]

I would expect some of these to land in k/k in KCM eventually.

[ahmedtd]

Yeah, I think the main question, is do we want to ship a SIG Auth project of some demo signers, that might eventually get specced out in a KEP and moved into k/k?

[enj]

My preference is to skip that step and go straight into KCM. TLS (and potentially mTLS) for Kube services is something I want all clusters to have.

[stlaz]

What about API version skews?

[ahmedtd]

Can you elaborate? The cases I'm discussing are about which version of the Kubernetes API each component was built against.

[stlaz]

Wrong item numbering :)

Is there a specific order of components in which to disable the FG? If Disable the PodCertificaterequest feature gate implies kubelet, it should be explicitly mentioned.

[stlaz]

I don't remember this particular detail from the implementation - is it possible to do these enablements in parallel? Won't a missing API cause for the feature to be still considered disabled on the kubelet side/fail initialization of a PCR watch?

[ahmedtd]

Hmmm, you're right, I think we need the feature gate to be enabled on all kube-apiserver replicas before it is enabled on any kubelet instance. I've updated the rollout/rollback steps to document this, and updated this section.

[stlaz]

You cannot use metrics labels with unbounded dimensions, such as names. This is to prevent DoS-ing your metrics scraper as this can easily cause memory exhaustion.

Applies to all suggested metrics.

[ahmedtd]

My thinking here is:

• There is a fixed upper limit on the number of pods served by each kubelet, and thus fixed upper limit on the pod namespace and pod name.
• Each pod probably only mounts a few certificates, and thus signer name is bounded (though not explicitly).

This could be problematic for the kube-apiserver metrics, though. I'll check and see if there are any that include namespace / pod name today.

[ahmedtd]

Some reference metrics:

• https://kubernetes.io/docs/reference/instrumentation/metrics/#:~:text=kube_pod_resource_limit --- exported by the scheduler, faceted on namespace and pod name
• apiserver_certificates_registry_csr_requested_duration_total --- exported by kube-apiserver, faceted on signerName, but with the caveat that only kubernetes.io signers are specifically reported.

These don't seem consistent to me --- there are potentially thousands of namespaces and tens of thousands of pods within a cluster, and (likely) ten or fewer signer names.

[ahmedtd]

Reading through the code change in kubernetes/kubernetes#102523, it seems like the real problems was that Prometheus counter vectors by default continue to hang on to facets, even if they are no longer getting data. We can fix that with

I think we might need some input from SIG Instrumentation about how to handle this case. The metrics instrumentation guide says this:

Notable exceptions are exporters like kube-state-metrics, which expose per-pod or per-deployment metrics, which are theoretically unbound over time as one could constantly create new ones, with new names. However, they have a reasonable upper bound for a given size of infrastructure they refer to and its typical frequency of changes.

In general, “external” labels like pod name, node name (any object name), & namespace do not belong in the instrumentation itself (the exception being kube-state-metrics). They are to be attached to metrics by the collecting system that has the external knowledge (blog post).

I'm not quite sure how to actually take action on that guidance. It seems clear that some of these metrics I am proposing should actually be exported by kube-state-metrics, though.

[stlaz]

I think we might need some input from SIG Instrumentation about how to handle this case.

That would be best.

[richabanker]

Isnt this state management of the metric - more reason to have the metrics in kube-state-metrics (provided the data is readily available in some API) which will do the state management implicitly?

[ahmedtd]

That is correct, but won't the information be available in the PodCertificateRequest status?

These get vacuumed very quickly, and given a PCR, you can generally only tell which pod it is related to, not which volume in the pod. That might be OK, I guess.

But I think to make diagnosis of issues via kube-state-metrics more bulletproof, we would want the pod status to have a field that maps volumes to their current refresh and expiration times.

kube-state-metrics could then export gauges showing time left until refresh and expiration for each volume of each pod.

[deads2k]

long thread. I'm everyone has commented on cardinality. I share the concern. Perhaps it's more useful to know a count of how many successful/failed refreshes by signer and how many expired/current certs by signer

[ahmedtd]

OK, I've cut the metrics down to one kubelet metric, reporting a gauge of currently-tracked pod certificate projections, bucketing them by signer name and the current state of the certificate. I think this strikes a good balance between cardinality and ability to pinpoint problems.

[dgrisonnet]

The new metric looks good to me 👍

[stlaz]

I suspect we don't expect there would be too many signers, or that there would be a great turnover so I guess the signer name is probably ok for these metrics.

[RafPe]

I would be keen to say this might not be the case. In a real case scenarios we could have a secure environments with KArpenter to scale out our workloads for example and further to that various signers depends on what their function would be or maybe different CAs.

[kannon92]

Please request a PRR review since you are promoting to beta.

[SergeyKanzhelev]

what would be length and characters limits here? Do we ever expect very long keys or values? If we want to start with restricting unicode command characters, we need to state it early - it will be hard to restrict later.

[ahmedtd]

I think we would do validation on the total size of the field, as well as copying whatever validation is applied to metadata annotations.

[kannon92]

This is related to https://github.com/kubernetes/enhancements/pull/5565/files#r2417192704.

[SergeyKanzhelev]

Please specify the limitations in spec. In metadata key is not allowing unicode and value allows any characters. If keys are expected to be ascii (no internationalization needed) and values allow the control characters, it is fine. It just can lead to discussions like kubernetes/kubernetes#132104 in future

[ahmedtd]

I've updated the spec to mention that the field is subject to the same validations as the metadata.annotations field, and include a summary description of that validation.

[ahmedtd]

Please request a PRR review since you are promoting to beta.

I think I have done this by including the PRR file in the PR.

[kannon92]

AFAIK kubernetes api conventions discourage the use of maps in the API.

https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#lists-of-named-subobjects-preferred-over-maps

Is this just suggesting exposing values to metadata on the pod?

[ahmedtd]

For this I just copied the structure of annotations. But a list of kv-pairs would also be a valid approach.

[ahmedtd]

I'm going to keep this as the same structure as annotations, since that lets us benefit from the annotation validation.

[kannon92]

PRR shadow:

This is not my area of expertise but I find the PRR very well thought out.

I have some questions on the use of a map[string]string in userConfig but I'll leave that to sigs to decide.

/assign @deads2k

[deads2k]

Some comments, nothing serious but the metrics need to be sorted out. PRR lgtm too.

[deads2k]

Clarify that kubernetes does verify or restrict these key/value pairs in any way.

[ahmedtd]

Done.

[deads2k]

same doc here about kubernetes not providing any guarantees about these name/value pairs.

[ahmedtd]

Done.

[deads2k]

yes to both please.

[ahmedtd]

These are both implemented in my demo repo

[deads2k]

@enj opinion on requiring?

[enj]

We should certainly make it possible, so that projects like Istio and Cilium can leverage it, if they want to. I don't think anything regarding SPIFFE should be included directly in KCM in the future though.

[ahmedtd]

I have implemented basic SPIFFE cert support in my demo repo. If we decide to move some of them into a sig-auth repo, we don't need to move that one.

[deads2k]

we don't require removal for beta.

[ahmedtd]

We're going to remove it just to keep life simple, I think.

[deads2k]

long thread. I'm everyone has commented on cardinality. I share the concern. Perhaps it's more useful to know a count of how many successful/failed refreshes by signer and how many expired/current certs by signer

[ahmedtd]

Whoops, I'm not sure how I closed this.

[deads2k]

PRR lgtm. Changes lgtm. I'm happy with metrics separated by signer name.

/approve
/hold for @enj

[enj]

First pass.

[enj]

Please add something like untrusted or unverified to the name of the field.

[ahmedtd]

OK, I've added Unverified in front of the field in PodCertificateRequestSpec. I've left the PodCertificateProjection field as "userAnnotations", since it seems weird to make the user write out that their requests are unverified.

[enj]

I thought we wanted these to be domain qualified?

[ahmedtd]

I wanted to reuse the same validation logic that we have adopted for annotations, since that's likely to be already well thought out. We can add an additional restriction that the key must be domain-qualified.

[enj]

I think this will need to be updated to match the other field's name.

[ahmedtd]

Oh, yes, done.

[enj]

Did we make the field required?

[ahmedtd]

Yes, you have to specify a value in the pod spec.

[enj]

I would expect some of these to land in k/k in KCM eventually.

[enj]

We should certainly make it possible, so that projects like Istio and Cilium can leverage it, if they want to. I don't think anything regarding SPIFFE should be included directly in KCM in the future though.

[enj]

Suggested change

	At alpha, enabling this feature in a live cluster will require the following steps.
	At beta, enabling this feature in a live cluster will require the following steps.

[ahmedtd]

Done.

[enj]

Mostly minor comments.

[enj]

I thought we removed this too?

[ahmedtd]

Yes, you're right, removed.

[enj]

Suggested change

	// These values are copied verbatim into the `spec.UnverifiedUserAnnotations` field of
	// These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of

[ahmedtd]

Done.

[enj]

We don't check that the certs form a chain, just that all the certs are valid.

We also know that Go is going to tighten cert validation so let's be stricter on this new API from the start:

• no DNSNames entries are "" or contain .. or start/end with .
• EmailAddresses all pass mail.ParseAddress

[ahmedtd]

Updated.

[enj]

/lgtm
/approve
/hold cancel

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahmedtd, deads2k, enj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [deads2k]
• keps/sig-auth/OWNERS [deads2k,enj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment