Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions OWNERS_ALIASES
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,12 @@ aliases:
- jberkus
- jmhbnz
- justinsb
wg-node-identity-leads:
- elmiko
- hakman
- pfeifferj
- randomvariable
- rata
wg-node-lifecycle-leads:
- atiratree
- intUnderflow
Expand Down
1 change: 1 addition & 0 deletions sig-cluster-lifecycle/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ subprojects, and resolve cross-subproject technical issues and decisions.
## Working Groups

The following [working groups][working-group-definition] are sponsored by sig-cluster-lifecycle:
* [WG Node Identity](/wg-node-identity)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sig autoscaling and other sponsors needs to be updated too.
but note they must have agreed to it during a recorded zoom meeting.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is sig auth participating?

* [WG Node Lifecycle](/wg-node-lifecycle)
* [WG etcd Operator](/wg-etcd-operator)

Expand Down
1 change: 1 addition & 0 deletions sig-list.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ When the need arises, a [new SIG can be created](sig-wg-lifecycle.md)
|[Data Protection](wg-data-protection/README.md)|[data-protection](https://github.com/kubernetes/kubernetes/labels/wg%2Fdata-protection)|* Apps<br>* Storage<br>|* [Xing Yang](https://github.com/xing-yang), VMware<br>* [Xiangqian Yu](https://github.com/yuxiangqian), Google<br>|* [Slack](https://kubernetes.slack.com/messages/wg-data-protection)<br>* [Mailing List](https://groups.google.com/a/kubernetes.io/g/wg-data-protection)|* Regular WG Meeting: [Wednesdays at 9:00 PT (Pacific Time) (bi-weekly)](https://zoom.us/j/6933410772)<br>
|[Device Management](wg-device-management/README.md)|[device-management](https://github.com/kubernetes/kubernetes/labels/wg%2Fdevice-management)|* Architecture<br>* Autoscaling<br>* Network<br>* Node<br>* Scheduling<br>|* [John Belamaric](https://github.com/johnbelamaric), Google<br>* [Kevin Klues](https://github.com/klueska), NVIDIA<br>* [Patrick Ohly](https://github.com/pohly), Intel<br>|* [Slack](https://kubernetes.slack.com/messages/wg-device-management)<br>* [Mailing List](https://groups.google.com/a/kubernetes.io/g/wg-device-management)|* Regular WG Meeting (Asia/Europe): [Wednesdays at 9:00 CET (Central European Time) (biweekly)](https://zoom.us/j/97238699195?pwd=cy9IMm1ZeERtRlJ3VS8yWUxHUWIrQT09)<br>* Regular WG Meeting (Europe/America): [Tuesdays at 8:30 PT (Pacific Time) (biweekly)](https://zoom.us/j/97238699195?pwd=cy9IMm1ZeERtRlJ3VS8yWUxHUWIrQT09)<br>
|[etcd Operator](wg-etcd-operator/README.md)|[etcd-operator](https://github.com/kubernetes/kubernetes/labels/wg%2Fetcd-operator)|* Cluster Lifecycle<br>* etcd<br>|* [Benjamin Wang](https://github.com/ahrtr), VMware<br>* [Ciprian Hacman](https://github.com/hakman), Microsoft<br>* [Josh Berkus](https://github.com/jberkus), Red Hat<br>* [James Blair](https://github.com/jmhbnz), Red Hat<br>* [Justin Santa Barbara](https://github.com/justinsb), Google<br>|* [Slack](https://kubernetes.slack.com/messages/wg-etcd-operator)<br>* [Mailing List](https://groups.google.com/a/kubernetes.io/g/wg-etcd-operator)|* Regular WG Meeting: [Tuesdays at 11:00 PT (Pacific Time) (bi-weekly)](https://zoom.us/my/cncfetcdproject)<br>
|[Node Identity](wg-node-identity/README.md)|[node-identity](https://github.com/kubernetes/kubernetes/labels/wg%2Fnode-identity)|* Autoscaling<br>* Cluster Lifecycle<br>|* [Michael McCune](https://github.com/elmiko), Red Hat<br>* [Ciprian Hacman](https://github.com/hakman), Microsoft<br>* [Josephine Pfeiffer](https://github.com/pfeifferj), Red Hat<br>* [Naadir Jeewa](https://github.com/randomvariable), Broadcom<br>* [Rodrigo Campos Catelin](https://github.com/rata), Amutable<br>|* [Slack](https://kubernetes.slack.com/messages/wg-node-identity)<br>* [Mailing List]()|* Regular WG Meeting: [TBDs at TBD UTC (monthly)](TBD)<br>
|[Node Lifecycle](wg-node-lifecycle/README.md)|[node-lifecycle](https://github.com/kubernetes/kubernetes/labels/wg%2Fnode-lifecycle)|* Apps<br>* Autoscaling<br>* CLI<br>* Cloud Provider<br>* Cluster Lifecycle<br>* Network<br>* Node<br>* Scheduling<br>* Storage<br>|* [Filip Křepinský](https://github.com/atiratree), Red Hat<br>* [Lucy Sweet](https://github.com/intUnderflow), Uber<br>* [Ryan Hallisey](https://github.com/rthallisey), NVIDIA<br>|* [Slack](https://kubernetes.slack.com/messages/wg-node-lifecycle)<br>* [Mailing List](https://groups.google.com/a/kubernetes.io/g/wg-node-lifecycle)|* WG Node Lifecycle Weekly Meeting: [Mondays at 8:00 PT (Pacific Time) (weekly)](https://zoom.us/j/97533929033)<br>
|[Workload-aware Scheduling](wg-workload-aware-scheduling/README.md)|[workload-aware-scheduling](https://github.com/kubernetes/kubernetes/labels/wg%2Fworkload-aware-scheduling)|* Apps<br>* Autoscaling<br>* Scheduling<br>|* [Andrey Velichkevich](https://github.com/andreyvelich), Apple<br>* [Heba Elayoty](https://github.com/helayoty), Microsoft<br>* [Kevin Hannon](https://github.com/kannon92), Red Hat<br>* [Matt Matejczyk](https://github.com/mm4tt), Google<br>|* [Slack](https://kubernetes.slack.com/messages/wg-workload-aware-scheduling)<br>* [Mailing List](https://groups.google.com/a/kubernetes.io/g/wg-workload-aware-scheduling)|* WG Workload Aware Scheduling Meeting [APAC friendly]: [Tuesdays at 12:00 PT (Pacific Time) (bi-weekly)](https://zoom.us/j/92680403832?pwd=ONq4tsGwcPdxpesoY3wuqdaLgEUt5X.1)<br>* WG Workload Aware Scheduling Meeting [NA friendly]: [Thursdays at 9:00 PT (Pacific Time) (bi-weekly)](https://zoom.us/j/98086037242?pwd=qDQagLhEl0kF36gQOcnC5jFDQr33Fg.1)<br>

Expand Down
41 changes: 41 additions & 0 deletions sigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3841,6 +3841,47 @@ workinggroups:
liaison:
github: soltysh
name: Maciej Szulik
- dir: wg-node-identity
name: Node Identity
mission_statement: >
To define “node attestation” and propose deliverables that need to be adopted to deploy, secure, cloud–provider/hardware-backed node identity and attestation with a common model across environments.

charter_link: charter.md
stakeholder_sigs:
- Autoscaling
- Cluster Lifecycle
Comment on lines +3850 to +3852

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iirc only SIG Cluster Lifecycle gave a sponsoring +1 (in the 2026-05-12 meeting). SIG Node said they're time-constrained to sponsor and would participate instead (2026-04-28), and as I understood autoscaling is an interested consumer rather than a sponsor.

since the generated SIG READMEs render every stakeholder_sigs entry as "sponsored by", this should probably be:

Suggested change
stakeholder_sigs:
- Autoscaling
- Cluster Lifecycle
stakeholder_sigs:
- Cluster Lifecycle

label: node-identity
leadership:
chairs:
- github: elmiko
name: Michael McCune
company: Red Hat
email: msm@opbstudios.com
- github: hakman
name: Ciprian Hacman
company: Microsoft
email: chacman@microsoft.com
- github: pfeifferj
name: Josephine Pfeiffer
company: Red Hat
email: hi@josie.lol
- github: randomvariable
name: Naadir Jeewa
company: Broadcom
email: naadir@randomvariable.co.uk
- github: rata
name: Rodrigo Campos Catelin
company: Amutable
email: rodrigo@sdfg.com.ar
meetings:
- description: Regular WG Meeting
day: TBD
time: TBD
tz: UTC
frequency: monthly
url: TBD
contact:
slack: wg-node-identity
- dir: wg-node-lifecycle
name: Node Lifecycle
mission_statement: >
Expand Down
36 changes: 36 additions & 0 deletions wg-node-identity/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
<!---
This is an autogenerated file!

Please do not edit this file directly, but instead make changes to the
sigs.yaml file in the project root.

To understand how this file is generated, see https://git.k8s.io/community/generator/README.md
--->
# Node Identity Working Group

To define “node attestation” and propose deliverables that need to be adopted to deploy, secure, cloud–provider/hardware-backed node identity and attestation with a common model across environments.

The [charter](charter.md) defines the scope and governance of the Node Identity Working Group.

## Stakeholder SIGs
* [SIG Autoscaling](/sig-autoscaling)
* [SIG Cluster Lifecycle](/sig-cluster-lifecycle)

## Meetings
* Regular WG Meeting: [TBDs at TBD UTC](TBD) (monthly). [Convert to your timezone](http://www.thetimezoneconverter.com/?t=TBD&tz=UTC).

## Organizers

* Michael McCune (**[@elmiko](https://github.com/elmiko)**), Red Hat
* Ciprian Hacman (**[@hakman](https://github.com/hakman)**), Microsoft
* Josephine Pfeiffer (**[@pfeifferj](https://github.com/pfeifferj)**), Red Hat
* Naadir Jeewa (**[@randomvariable](https://github.com/randomvariable)**), Broadcom
* Rodrigo Campos Catelin (**[@rata](https://github.com/rata)**), Amutable

## Contact
- Slack: [#wg-node-identity](https://kubernetes.slack.com/messages/wg-node-identity)
- [Mailing list]()
- [Open Community Issues/PRs](https://github.com/kubernetes/community/labels/wg%2Fnode-identity)
<!-- BEGIN CUSTOM CONTENT -->

<!-- END CUSTOM CONTENT -->
84 changes: 84 additions & 0 deletions wg-node-identity/charter.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# WG Node Identity Charter

This charter adheres to the conventions described in the [Kubernetes Charter README](https://github.com/kubernetes/community/blob/master/committee-steering/governance/README.md) and uses the Roles and Organization Management outlined in [wg-governance](https://github.com/kubernetes/community/blob/master/committee-steering/governance/wg-governance.md).

## Background

Node attestation isn't new in the Kubernetes ecosystem, but every distribution that takes it seriously has built its own approach \- [GKE attests nodes with a virtual TPM](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes), [kOps verifies cloud-native instance identity](https://kops.sigs.k8s.io/architecture/kops-controller/), and [EKS authenticates nodes through their IAM roles](https://github.com/kubernetes-sigs/aws-iam-authenticator). Each proves the same thing: that a node is what it claims to be, but none of these interoperate, none share a common security review, and an operator moving between distributions or wanting to combine different clouds meets a different node identity model each time.

For self-managed clusters the common case is kubeadm bootstrap tokens, which are bearer credentials that can't be scoped to a specific node. [Cluster API](https://github.com/kubernetes-sigs/cluster-api), and [Karpenter on self-managed kubeadm](https://github.com/aws/karpenter-provider-aws/issues/4492) both inherit this gap. The 2022 [Cluster API Security Self-Assessment](https://github.com/kubernetes/sig-security/blob/main/sig-security-assessments/cluster-api/self-assessment.md) flagged it as critical — an attacker who reads a token can register as any node, including a control plane node — and its fix, [replace the kubeadm join with host attestation](https://github.com/kubernetes-sigs/cluster-api/issues/3762), was marked "Planned" and never landed.

The appetite to fix this was clear at the [KubeCon EU 2026 maintainer panel "From Static Tokens to Attestation"](https://www.youtube.com/watch?v=MIO3tDk0GnI), which drew roughly 150 attendees, ran past time, and spilled into the hallway track. The recurring theme: this has stayed unsolved not for lack of building blocks but because no SIG owns the end-to-end problem.

The proposers bar is that a solution be low-effort to *consume*; solutions like SPIFFE exist, is a possible backend, but require additional infrastructure that strays from the ease of use of cluster bring up with common tooling.

We acknowledge that clouds differ too much for one uniform implementation \- some expose a vTPM and signed metadata, others hand you a bare VM and an IP. So this WG doesn't assume one mechanism fits all. It aims to give the problem a cross-SIG home and a legible model: a consistent interface in core Kubernetes with thin per-provider implementations behind it \- so what differs is the mechanism, not the user's mental model.

Above all, it's a venue to gather the people already interested, scattered today across SIGs, distributions, and practitioners in one place to solve it.

## Scope

The scope of this WG is to define “node attestation” and propose deliverables that need to be adopted to deploy, secure, cloud–provider/hardware-backed node identity and attestation with a common model across environments. The goal is for attestation to be enabled by default and require minimal configuration on platforms that support it, making secure node identity the easy path rather than an advanced option. We succeed if following a Getting Started guide in the Kubernetes docs gets you an attested cluster.

### In Scope

- Defining terms such as a Kubernetes-native node attestation that allows kubelets to prove their identity to the control plane using platform-provided attestation (TPM, vTPM, cloud instance identity documents, or similar mechanisms)
- Define use cases for Kubernetes users that address the heterogeneity of environments.
- Determining which common features (e.g. TPM attestation) can be covered by APIs.
- Propose new sub-projects if existing sub-projects are not sufficient.
- Producing a threat model for the node identity lifecycle covering bootstrap, certificate rotation, and node impersonation attacks

### Out of Scope

- Developing any node attestation mechanism outside of the ownership of a sponsoring SIG.
- Long term ownership of cloud provider-specific implementations of attestation verifiers
- Workload identity (existing solutions exist)
- Removal of bootstrap token support — bootstrap tokens will remain available as a fallback, but attestation should be the default for distributions that support it

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unlikely for the kubeadm team to agree on that.
the regular k8s user doesn't care about atestation.


## Deliverables

* An accepted KEP and sponsoring SIG
* A common threat model applicable to multiple cluster lifecycle management tools, clouds, virtualized environments and bare metal.
* Provide a space for collaboration across cloud providers and practitioners to determine common, viable features that should be supported by Kubernetes SIGs. Given consensus in one or more ideas, the WG will facilitate and coordinate the delivery of proposals in the appropriate areas with owning SIGs.

## Stakeholders

* SIG Node
* SIG Cluster Lifecycle
* SIG Autoscaling
* SIG Cloud Provider

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Stakeholders
Sponsoring SIGs:
* SIG Cluster Lifecycle
Participating SIGs:
* SIG Node
* SIG Cloud Provider
* SIG Autoscaling

## Roles and Organization Management

This WG adheres to the Roles and Organization Management outlined in [wg-governance](https://github.com/kubernetes/community/blob/master/committee-steering/governance/wg-governance.md) and opts-in to updates and calculation of the [Conditions for Disbanding](https://github.com/kubernetes/community/blob/master/committee-steering/governance/wg-governance.md#disbanding).

### Chairs

- Rodrigo Campos Catelin (@rata)
- Ciprian Hacman (@hakman)
- Naadir Jeewa (@randomvariable)
- Michael McCune (@elmiko)
- Josephine Pfeiffer (@pfeifferj)

### Steering Committee Liaison

- TBD (assigned after approval)

## Exit Criteria

This WG will disband when its deliverables are complete

1. Completed definitions and key use cases for cluster owners and lifecycle management implementations, documented and committed.
2. Key common features that Kubernetes or a sub-project needs to best support the defined use cases.
3. For each feature in the list, proposals/KEPs which support them are made to the relevant sub-project OR propose new sub-projects if deemed necessary. The KEPs must move to Accepted as a condition of exit.

### Alternative Exit Paths

- **Early exit**: If the WG determines during Phase 1 that node attestation cannot be securely implemented within the existing Kubernetes certificate infrastructure without unacceptable complexity, it will publish findings and recommendations and disband
- **Partial exit**: If the security review identifies fundamental issues with moving attestation into core or a subproject, the WG will document the findings and recommend that attestation remain an out-of-tree extension point

### Progress Reporting

- Annual reports to the steering committee (due by 1 March)
- Quarterly updates to sponsoring SIG mailing lists (sig-node@, sig-cluster-lifecycle@, @sig-cloud-provider)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Quarterly updates to sponsoring SIG mailing lists (sig-node@, sig-cluster-lifecycle@, @sig-cloud-provider)
- Quarterly updates to sponsoring and participating SIG mailing lists (sig-cluster-lifecycle@, sig-node@, sig-cloud-provider@, sig-autoscaling@)

- Monthly WG meetings open to the community