mirror of https://github.com/istio/istio.io.git
* zh-translation: /blog/2019/trustworthy-jwt-sds/index.md #1137 * apply ilylia's advise
This commit is contained in:
2BFL
Istio Automation
parent
c7074c08ec
commit
a0622bf256
|
|
@ -1,31 +1,25 @@
|
|||
---
|
||||
title: Change in Secret Discovery Service in Istio 1.3
|
||||
description: Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely.
|
||||
title: Istio 1.3 Secret 服务发现的更改
|
||||
description: 利用 Kubernetes 可信任的 JWT 来更安全地为工作负载实例颁发证书。
|
||||
publishdate: 2019-09-10
|
||||
attribution: Phillip Quy Le (Google)
|
||||
keywords: [security, PKI, certificate, nodeagent, sds]
|
||||
target_release: 1.2
|
||||
---
|
||||
|
||||
In Istio 1.3, we are taking advantage of improvements in Kubernetes to issue certificates for workload instances more securely.
|
||||
在 Istio 1.3 中,我们正在利用 Kubernetes 的改进功能来更安全地为工作负载实例颁发证书。
|
||||
|
||||
When a Citadel Agent sends a certificate signing request to Citadel to get a certificate for a workload instance,
|
||||
it includes the JWT that the Kubernetes API server issued representing the service account of the workload instance.
|
||||
If Citadel can authenticate the JWT, it extracts the service account name needed to issue the certificate for the workload instance.
|
||||
当 Citadel 代理向 Citadel 发送证书签名请求以获取工作负载实例的证书时,它包含了 Kubernetes API 服务器颁发的代表工作负载实例的服务帐户的 JWT。如果 Citadel 可以对 JWT 进行身份验证,则提取为工作负载实例颁发证书所需的服务帐户名。
|
||||
|
||||
Before Kubernetes 1.12, the Kubernetes API server issues JWTs with the following issues:
|
||||
在 Kubernetes 1.12 之前,Kubernetes API 服务器的 JWT 存在以下问题:
|
||||
|
||||
1. The tokens don't have important fields to limit their scope of usage, such as `aud` or `exp`. See [Bound Service Tokens](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md) for more info.
|
||||
1. The tokens are mounted onto all the pods without a way to opt-out. See [Service Account Token Volumes](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/svcacct-token-volume-source.md) for motivation.
|
||||
1. 令牌没有重要字段来限制其使用范围,例如 `aud` 或 `exp`。有关更多信息,请参见[绑定服务令牌](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md)。
|
||||
1.令牌安装在所有 pod 上,无法退出。请参见[服务帐户令牌数量](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/svcacct-token-volume-source.md)了解其机制。
|
||||
|
||||
Kubernetes 1.12 introduces `trustworthy` JWTs to solve these issues.
|
||||
However, support for the `aud` field to have a different value than the API server audience didn't become available until [Kubernetes 1.13](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md).
|
||||
To better secure the mesh, Istio 1.3 only supports `trustworthy` JWTs and requires the value of the `aud` field to be `istio-ca` when you enable SDS.
|
||||
Before upgrading your Istio deployment to 1.3 with SDS enabled, verify that you use Kubernetes 1.13 or later.
|
||||
Kubernetes 1.12 引入了 `可信任` JWT 来解决这些问题。但是,直到 [Kubernetes 1.13] 才支持 `aud` 字段与 API 服务器受众具有不同的值。为了更好地保护网格,Istio 1.3 仅支持 `可信任` JWT,并且在启用 SDS 时要求 `aud` 字段的值为 `istio-ca`。在启用 SDS 的情况下将 Istio 部署升级到 1.3 之前,请验证您是否使用了 Kubernetes 1.13 或更高版本。
|
||||
|
||||
Make the following considerations based on your platform of choice:
|
||||
根据您选择的平台进行以下考虑:
|
||||
|
||||
- **GKE:** Upgrade your cluster version to at least 1.13.
|
||||
- **On-prem Kubernetes** and **GKE on-prem:** Add [extra configurations](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) to your Kubernetes. You may
|
||||
also want to refer to the [api-server page](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) for the most up-to-date flag names.
|
||||
- For other platforms, check with your provider. If your vendor does not support trustworthy JWTs, you will need to fall back to the file-mount approach to propagate the workload keys and certificates in Istio 1.3.
|
||||
- **GKE:** 至少将群集版本升级到 1.13。
|
||||
- **本地 Kubernetes** 和 **私有 GKE:** 将[额外配置](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)添加到您的 Kubernetes。您也可以参考 [api-server 页面](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/)以获取最新的标志名称。
|
||||
- 对于其他平台,请与您的提供商联系。如果您的提供商不支持可信任 JWT,则您将需要使用文件挂载的方式来传播 Istio 1.3 中的工作负载密钥和证书。
|
||||
|
|
|
|||
Loading…
Reference in New Issue