Security Self Assessment: [STRIDE-SPOOF-4][STRIDE-SPOOF-5] Machine attestation for secure kubelet registration

[randomvariable]

User Story

As a security operator, I want to ensure developers who have access to create MachineDeployments are not able to gain access to data for workloads on a cluster they are not supposed to.

Detailed Description

kubeadm bootstrap tokens allow registration as arbitrary node names. GCP, EKS and Kops provide mechanisms to attest to the identity of a node such that they do not inadvertently get access to secrets and volumes not intended for that node. Provide a mechanism to resolve.

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

/kind feature

[vincepri]

/milestone Next

To be determined if we can get this in v1alpha4

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[vincepri]

/lifecycle frozen

[randomvariable]

I know we don't have a label for it, but just for tracking

/area node-agent

[k8s-ci-robot]

@randomvariable: The label(s) area/node-agent cannot be applied, because the repository doesn't have them

In response to this:

I know we don't have a label for it, but just for tracking

/area node-agent

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[neolit123]

node-agent

just wanted to note that k8s docs address the kubelet as the "primary node agent":

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

The kubelet is the primary "node agent" that runs on each node

but if this is a "CAPI node agent" people are likely not going to be that confused.

[vincepri]

@neolit123 Yes it's a Cluster API Node Agent :)

[arianvp]

Would it make sense to use https://spiffe.io/ for abstracting the node attestation part so it's cloud-agnostic (and works on prem; e.g. with the TPM attestor? )