Skip to content

Commit

Permalink
SecureComms: Add support for inbound namespace
Browse files Browse the repository at this point in the history
Support opening inbound ports in configrable network namespaces.
This allows opening an inbound port inside the pod network namespace of the podvm.
The traffic will be forwarded via the SecureComms ssh channel to the outbound at the worker node.

Signed-off-by: David Hadas <[email protected]>
  • Loading branch information
davidhadas authored and davidhIBM committed Oct 7, 2024
1 parent 04ba307 commit 12d5a83
Show file tree
Hide file tree
Showing 3 changed files with 108 additions and 18 deletions.
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/cmd/cloud-api-adaptor/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ func (cfg *daemonConfig) Setup() (cmd.Starter, error) {
flags.BoolVar(&secureComms, "secure-comms", false, "Use SSH to secure communication between cluster and peer pods")
flags.StringVar(&secureCommsInbounds, "secure-comms-inbounds", "", "Inbound tags for secure communication tunnels")
flags.StringVar(&secureCommsOutbounds, "secure-comms-outbounds", "", "Outbound tags for secure communication tunnels")
flags.StringVar(&secureCommsKbsAddr, "secure-comms-kbs", "kbs-service.kbs-operator-system:8080", "Address of a KBS Service for Secure-Comms")
flags.StringVar(&secureCommsKbsAddr, "secure-comms-kbs", "kbs-service.trustee-operator-system:8080", "Address of a KBS Service for Secure-Comms")
flags.DurationVar(&cfg.serverConfig.ProxyTimeout, "proxy-timeout", proxy.DefaultProxyTimeout, "Maximum timeout in minutes for establishing agent proxy connection")

flags.StringVar(&cfg.networkConfig.TunnelType, "tunnel-type", podnetwork.DefaultTunnelType, "Tunnel provider")
Expand Down
74 changes: 62 additions & 12 deletions src/cloud-api-adaptor/docs/SecureComms.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Once the "Kubernetes Phase" SSH channel is established, Secure Comms connects th

See [Secure Comms Architecture Slides](./SecureComms.pdf) for more details.

## Setup
## Setup for CoCo with Trustee

### Deploy CAA
Use any of the option for installing CAA depending on the cloud driver used.
Expand All @@ -37,19 +37,25 @@ Deploy Trustee-Operator by following instructions at [trustee Operator Getting S

Make sure to uncomment the secret generation as recommended for both public and private key (`kbs-auth-public-key` and `kbs-client` secrets).

Copy the kbs-client secret from the `kbs-operator-system` namespace to the `confidential-containers-system` ns. This can be done using:
```sh
kubectl get secrets -n trustee-operator-system
NAME TYPE DATA AGE
kbs-auth-public-key Opaque 1 28h
kbs-client Opaque 1 28h
```

Copy the kbs-client secret from the `trustee-operator-system` namespace to the `confidential-containers-system` ns. This can be done using:

```sh
kubectl get secret kbs-client -n kbs-operator-system -o json|jq --arg ns "confidential-containers-system" 'del(.metadata["creationTimestamp","resourceVersion","selfLink","uid","annotations"]) | .metadata.namespace |= $ns' |kubectl apply -f -
kubectl get secret kbs-client -n trustee-operator-system -o json|jq --arg ns "confidential-containers-system" 'del(.metadata["creationTimestamp","resourceVersion","selfLink","uid","annotations"]) | .metadata.namespace |= $ns' |kubectl apply -f -
```

For a testing environment, you may need to change the policy of the KBS and AS using the KBS Client to allow all or fit your own policy. One way to do that is:

```sh
kubectl -n kbs-operator-system exec deployment/trustee-deployment --container as -it -- /bin/bash
sed -i.bak 's/^default allow = false/default allow = true/' /opt/confidential-containers/attestation-service/opa/default.rego
kubectl -n trustee-operator-system exec deployment/trustee-deployment --container as -it -- sed -i.bak 's/^default allow = false/default allow = true/' /opt/confidential-containers/attestation-service/opa/default.rego

kubectl -n kbs-operator-system get cm resource-policy -o yaml | sed "s/default allow = false/default allow = true/"|kubectl apply -f -
kubectl -n trustee-operator-system get cm resource-policy -o yaml | sed "s/default allow = false/default allow = true/"|kubectl apply -f -
```

### Build a podvm that enforces Secure-Comms
Expand All @@ -59,27 +65,69 @@ Change the `src/cloud-api-adaptor/podvm/files/etc/systemd/system/agent-protocol-
ExecStart=/usr/local/bin/agent-protocol-forwarder -pod-namespace /run/netns/podns -secure-comms -kata-agent-socket /run/kata-containers/agent.sock $TLS_OPTIONS $OPTIONS
```

You may also include additional Inbounds and Outbounds configurations to the Forwarder using the `-secure-comms-inbounds` and `-secure-comms-outbounds` flags. See more details regarding Inbounds and Outbounds below.
You may also include additional Inbounds and Outbounds configurations to the Forwarder using the `-secure-comms-inbounds` and `-secure-comms-outbounds` flags. [See more details regarding Inbounds and Outbounds below.](#adding-named-tunnels-to-the-ssh-channel)

For example:
```sh
ExecStart=/usr/local/bin/agent-protocol-forwarder -kata-agent-namespace /run/netns/podns -secure-comms -secure-comms-inbounds KUBERNETES_PHASE:mytunnel:podns:6666 -kata-agent-socket /run/kata-containers/agent.sock $TLS_OPTIONS $OPTIONS
```

Once you changed `podvm/files/etc/systemd/system/agent-protocol-forwarder.service`, you will need to [rebuild the podvm](./../podvm/README.md).


### Activate CAA Secure-Comms feature
Use `kubectl edit cm peer-pods-cm -n confidential-containers-system` to add to the `peer-pods-cm` config map at the `confidential-containers-system` namespace:
Activate Secure-Comms of CAA by changing the `SECURE_COMMS` parameter of the `peer-pods-cm` configMap in the `confidential-containers-system` namespace to `"true"`.

```sh
kubectl -n confidential-containers-system get cm peer-pods-cm -o yaml | sed "s/SECURE_COMMS: \"false\"/SECURE_COMMS: \"true\"/"|kubectl apply -f -
```

Set InitData to point KBC services to IP address 127.0.0.1
```sh
cat <<EOF > /tmp/initdata.txt
algorithm = "sha384"
version = "0.1.0"
[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]
url = 'http://127.0.0.1:8080'
[token_configs.kbs]
url = 'http://127.0.0.1:8080'
'''
"cdh.toml" = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []
[kbc]
name = 'cc_kbc'
url = 'http://127.0.0.1:8080'
'''
EOF
export INITDATA=`base64 -w 0 /tmp/initdata.txt`
kubectl -n confidential-containers-system get cm peer-pods-cm -o yaml | sed 's/\s*^INITDATA: .*/ INITDATA: '$INITDATA'/'|kubectl apply -f -

```

You may also include additional Inbounds and Outbounds configurations to the Adaptor using the `SECURE_COMMS_INBOUNDS` and `SECURE_COMMS_OUTBOUNDS` config points. [See more details regarding Inbounds and Outbounds below.](#adding-named-tunnels-to-the-ssh-channel)

Use `kubectl edit cm peer-pods-cm -n confidential-containers-system` to make such changes in the configMap, for example:
```sh
apiVersion: v1
data:
...
SECURE_COMMS: "true"
SECURE_COMMS_OUTBOUNDS: "KUBERNETES_PHASE:mytunnel:149.81.64.62:7777"
...
```

You may also include additional Inbounds and Outbounds configurations to the Adaptor using the `SECURE_COMMS_INBOUNDS` and `SECURE_COMMS_OUTBOUNDS` config points. See more details regarding Inbounds and Outbounds below.

You may also set the KBS address using the `SECURE_COMMS_KBS_ADDR` config point.


### Adding named tunnels to the SSH channel

## Adding named tunnels to the SSH channel
Named tunnels can be added to the SSH channel. Adding a named tunnel requires adding an Inbound at one of the SSH channel peers and an Outbound at the other SSH channel peer. The Inbound and Outbound both carry the name of the tunnel being created.

|---------Tunnel----------|
Expand All @@ -88,9 +136,11 @@ Client->Inbound----------->Outbound->Server

Inbounds and Outbounds take the form of a comma separated inbound/outbound tags such that Inbounds are formed as "InboundTag1,InboundTag2,InboundTag3,..." and Outbounds are formed as "OutboundTag1,OutboundTag2,outboundTag3,..."

Each Inbound tag is structured as `Phase:Name:Port` where:

Each Inbound tag is structured as `Phase:Name:Namespace:Port` or `Phase:Name:Port` where:
- Phase can be 'KUBERNETES_PHASE' to represent an outbound available during the Kubernetes phase, 'ATTESTATION_PHASE' to represent an outbound available during the Attestation phase, or 'BOTH_PHASES' to represent an outbound available during both phases.
- Name is the name of the tunnel
- Namespace (if available) is a linux network namespace where the local service should be available.
- Port is the local service port being opened to serve as ingress of the tunnel.

Each outbound tag is structured as `Phase:Name:Host:Port` or `Phase:Name:Port` where:
Expand Down
50 changes: 45 additions & 5 deletions src/cloud-api-adaptor/pkg/securecomms/sshproxy/sshproxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,13 @@ import (
"net/http"
"net/http/httputil"
"net/url"
"path/filepath"
"strconv"
"strings"
"sync"

"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/securecomms/sshutil"
"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/util/netops"
"golang.org/x/crypto/ssh"
)

Expand Down Expand Up @@ -102,11 +104,11 @@ func (inbounds *Inbounds) AddTags(tags []string, inboundPorts map[string]string,
if tag == "" {
continue
}
inPort, _, name, phase, err := ParseTag(tag)
inPort, namespace, name, phase, err := ParseTag(tag)
if err != nil {
return fmt.Errorf("failed to parse inbound tag %s: %v", tag, err)
}
retPort, err := inbounds.Add(inPort, name, phase, wg)
retPort, err := inbounds.Add(namespace, inPort, name, phase, wg)
if err != nil {
return fmt.Errorf("failed to add inbound: %v", err)
}
Expand All @@ -117,12 +119,34 @@ func (inbounds *Inbounds) AddTags(tags []string, inboundPorts map[string]string,
return nil
}

func (inbounds *Inbounds) Add(inPort int, name, phase string, wg *sync.WaitGroup) (string, error) {
func (inbounds *Inbounds) listen(namespace string, tcpAddr *net.TCPAddr, name string) (tcpListener *net.TCPListener, err error) {
if namespace == "" {
return net.ListenTCP("tcp", tcpAddr)
}

var ns netops.Namespace
ns, netopsErr := netops.OpenNamespace(filepath.Join("/run/netns", namespace))
if netopsErr != nil {
return nil, fmt.Errorf("inbound %s failed to OpenNamespace '%s': %w", name, namespace, netopsErr)
}
defer ns.Close()

netopsErr = ns.Run(func() error {
tcpListener, err = net.ListenTCP("tcp", tcpAddr)
return err
})
if netopsErr != nil {
return nil, fmt.Errorf("inbound %s failed to ListenTCP '%s': %w", name, namespace, netopsErr)
}
return
}

func (inbounds *Inbounds) Add(namespace string, inPort int, name, phase string, wg *sync.WaitGroup) (string, error) {
tcpAddr := &net.TCPAddr{
IP: net.IPv4(127, 0, 0, 1),
Port: inPort,
}
tcpListener, err := net.ListenTCP("tcp", tcpAddr)
tcpListener, err := inbounds.listen(namespace, tcpAddr, name)
if err != nil {
return "", fmt.Errorf("inbound failed to listen to host: %s port '%d' - err: %v", name, inPort, err)
}
Expand Down Expand Up @@ -162,6 +186,22 @@ func (inbounds *Inbounds) DelAll() {
inbounds.list = [](*Inbound){}
}

// ParseTag() parses an inbound or outbound tag
// Outbound tags with structure <Phase>:<Name>:<Port>
//
// are interperted to approach 127.0.0.1:<Port>
//
// Outbound tags with structure <Phase>:<Name>:<Host>:<Port>
//
// are interperted to approach <Host>:<Port>
//
// Inbound tags with structure <Phase>:<Name>:<Port>
//
// are interperted to serve 127.0.0.1:<Port> on host network namespace
//
// Inbound tags with structure <Phase>:<Name>:<Namespace>:<Port>
//
// are interperted to serve 127.0.0.1:<Port> on <Namespace> network namepsace
func ParseTag(tag string) (port int, host, name, phase string, err error) {
var inPort string
var uint64port uint64
Expand All @@ -174,7 +214,7 @@ func ParseTag(tag string) (port int, host, name, phase string, err error) {
} else if len(splits) == 4 {
phase = splits[0]
name = splits[1]
host = splits[2]
host = splits[2] // host for outbound or network namespace for inbound
inPort = splits[3]
} else {
err = fmt.Errorf("illegal tag: %s", tag)
Expand Down

0 comments on commit 12d5a83

Please sign in to comment.