All hops encrypted amongst internal and external services in Knative

[nainaz]

Describe the feature

User story: As a user, I want all my traffic to be encrypted throughout the Knative routing path, so that any data going over that path is not readable for anybody else and make my environment more secure.

Business justification: Currently containers running as Knative service must communicate using HTTP/1.1 without any encryption, and in case there is encryption this terminates at the knative-serving side rather than at the container level (thus not achieving full end-to-end encryption and failing some security standards). Supporting passthrough/re-encrypt in the ingress for serverless would enable this feature and make customer's environments more secure.

Acceptance Criteria:
GIVEN I have deployed a service using knative
WHEN I have created a certificate to encrypt incoming external traffic
AND created a "secret" and necessary networking configuration
THEN I am accessing my serverless application by using a secure connection that is now trusted by the CA

Things to consider:

• Need to be enabled / enable-able for all Ingress implementations
• Need to cover 3 paths:
  - Ingress -> Queue-Proxy when scaled above TargetBurstCapacity extra capacity. If this was the only part implemented, it would prevent scale-to-zero.
  • Needed for scale-to-zero:
  • Ingress -> Activator - Needs the ability to change HTTP headers to record traffic split decision.
  • Activator -> Queue-Proxy
    -Should we support ONE certificate for all services?
  • Do individual certificates per service for now.
  • Certification rotation can also be used.
  • Reencryption or passthrough either would be acceptable.

Implementation tasks for Alpha:

• All Hops Encrypted: Activator serving TLS #12501
• All Hops Encrypted: Queue-Proxy serving TLS #12502
• All Hops Encrypted: Activator uses queue-proxy TLS if available #12503
• All Hops Encrypted: alpha Kourier support for encrypted backends knative-extensions/net-kourier#750
• Support knative-internal-tls in net-contour knative-extensions/net-contour#703
• TODO: integration work on control plane once data plane components are implemented (force activator always in path)

[nainaz]

found a similar issue : adding it here : Encrypt traffic on the data-path "natively"

[n3wscott]

Our answer for this has always been "sounds like you want to use istio". Is this really a Knative specific feature?

[antoineco]

As long as this doesn't get extended to adding support for an ocean of access control schemes, authentication mechanisms, etc. (in other words, sticking with TLS encryption only) I think this could be manageable.

I didn't look into the details, but @slinkydeveloper did experiment with a fully-automated PKI in the context of control-protocol at https://github.com/knative-sandbox/control-protocol/tree/release-0.25/pkg/certificates. The Kafka channel implementation in the Eventing sandbox uses it already.

[nainaz]

Hello Scott, Sorry for the late reply. My 2 cents. Knative serving (scale to zero and in turn the operational efficiencies) is very attractive, especially to Financial institutions , however, if we cannot offer the basic TLS security requirements natively and force the use of Mesh just for this use case. We increase the extra hop and overhead and in turn add a con on using knative. One of the reasons we decided to move to Kourier is to remove dependency on Istio. Hello Antoine, TLS encryption is the goal of this request. I will take a look at the info you provided. Thank you, -N

…

On Mon, 6 Sept 2021 at 04:50, Antoine Cotten ***@***.***> wrote: As long as this doesn't get extended to adding support for an ocean of access control schemes, authentication mechanisms, etc. (in other words, sticking with TLS encryption only) I think this could be manageable. I didn't look into the details, but @slinkydeveloper <https://github.com/slinkydeveloper> did experiment with a fully-automated PKI in the context of control-protocol at https://github.com/knative-sandbox/control-protocol/tree/release-0.25/pkg/certificates. The Kafka channel implementation in the Eventing sandbox uses it <https://github.com/knative-sandbox/eventing-kafka/tree/release-0.25/pkg/common/controlprotocol> already. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#11906 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AISZCFDESFZHQ6KODTB4P3DUAR6FDANCNFSM5DKG5AZA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[nainaz]

Hello folks, We have started a feature track for this. https://docs.google.com/document/d/1XE7UzgQlVVtAb7ULSqOyKCaIHtm8zMF35ainp1JmwyY/edit?resourcekey=0-e1MXRxQaalq-EHW46ZCCWg#heading=h.n8a530nnrb Please feel free to add/edit and raise concerns in the doc. Thank you, Thank you, -N

…

On Thu, 9 Sept 2021 at 11:51, Naina Singh ***@***.***> wrote: Hello Scott, Sorry for the late reply. My 2 cents. Knative serving (scale to zero and in turn the operational efficiencies) is very attractive, especially to Financial institutions , however, if we cannot offer the basic TLS security requirements natively and force the use of Mesh just for this use case. We increase the extra hop and overhead and in turn add a con on using knative. One of the reasons we decided to move to Kourier is to remove dependency on Istio. Hello Antoine, TLS encryption is the goal of this request. I will take a look at the info you provided. Thank you, -N On Mon, 6 Sept 2021 at 04:50, Antoine Cotten ***@***.***> wrote: > As long as this doesn't get extended to adding support for an ocean of > access control schemes, authentication mechanisms, etc. (in other words, > sticking with TLS encryption only) I think this could be manageable. > > I didn't look into the details, but @slinkydeveloper > <https://github.com/slinkydeveloper> did experiment with a > fully-automated PKI in the context of control-protocol at > https://github.com/knative-sandbox/control-protocol/tree/release-0.25/pkg/certificates. > The Kafka channel implementation in the Eventing sandbox uses it > <https://github.com/knative-sandbox/eventing-kafka/tree/release-0.25/pkg/common/controlprotocol> > already. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#11906 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AISZCFDESFZHQ6KODTB4P3DUAR6FDANCNFSM5DKG5AZA> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > >

[evankanderson]

There was additional discussion in #11239 that might be worth reading when considering the proposal.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

[evankanderson]

I believe we have an alpha (and maybe beta) design for this in the Feature Track document along with a list of parallel items for networking WG to engage with upstream gateway-api on supporting TLS to upstream (backendRef) services.

[nak3]

a list of parallel items for networking WG to engage with upstream gateway-api on supporting TLS to upstream (backendRef) services.

Upstream gateway-api is planning to support the TLS to upstream service by the "extension" for now. They will clarify it by kubernetes-sigs/gateway-api#968