Proposal: Instance Identity Credentials in Cloud Foundry
|
Eric Malm <emalm@...>
Hi, all,
The CF Diego team has a proposal[1] for Cloud Foundry to generate and distribute instance-specific credentials to application instances running on the platform. These credentials will be in the form of an X.509 certificate-key pair suitable for use in TLS communication, and are intended to encode the CF identity of each individual application instance in the subject distinguished name in the certificate. We envision this functionality to be generally useful as more and more communication happens directly with containerized application instances. For example, these platform-native credentials will allow application instances and tasks to present their identity as a CF application to: - external services that they access via TLS communication, - clients that communicate with them via TLS traffic that they terminate (say, via TCP routing), - other application instances on an overlay network established by the CF Container Networking project[2]. The credentials will be relatively short-lived, to limit the impact of accidental disclosure to untrusted parties, and will be rotated regularly within the container filesystem. On the host Diego cell, they will be protected from unauthorized access via filesystem permissions and will be stored only in system memory via tmpfs or a similar ephemeral filesystem. We of course welcome input and feedback on the proposal via inline commentary on the proposal document, especially with regard to potential use cases for this proposed platform capability. We have already identified one immediate use case for these credentials: application instances will be able to use them to authenticate with the recently proposed CredHub project[3] to retrieve credentials for bound services after service brokers store them in CredHub, thus maximizing the compartmentalization of extremely sensitive service credentials within CF. Some initial stages of work are planned in the Diego backlog in the "instance-identity:creds" epic[4]. Thanks, Eric Malm, CF Diego PM [1]: https://docs.google.com/document/d/1OWrqaNEQkl8VXd8r3W6GgDEXxd3sX w5C-20dAu76HOk/edit [2]: https://github.com/cloudfoundry-incubator/cf-networking-release [3]: https://docs.google.com/document/d/1iG28J2Lm8RY3BXCZqqNWO7v- G1ppcdK8cizlhbN_o4g/edit [4]: https://www.pivotaltracker.com/epic/show/3288841
|
|
|