Move GEP-3792 to Memorandum with API in other GEPs #3894
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
size/L
geps/gep-3792/index.md
Outdated
| gatewayClassName: ocg-gateway-class | ||
| ... | ||
| mesh: # All mesh-related configuration goes here | ||
| trustBundle: |
There was a problem hiding this comment.
I want to put in consideration adoption of ClusterTrustBundle which is now Beta in Kubernetes. It was designed exactly for this goal and is a perfect fit.
There was a problem hiding this comment.
This isn't a "no", but... what would that look like? do we basically vendor the Go type for ClusterTrustBundle for codegen and hope that it doesn't change out from under us? 🤔
There was a problem hiding this comment.
No, just an object ref to a ClusterTrustBundle. Or maybe not even a 'ref' needed, just a name (its cluster scoped so no namespace needed)
There was a problem hiding this comment.
ClusterTrustBundle, if I understand correctly, is an alpha feature from K8s 1.27 to K8s 1.32, which is to say that in nearly every version supported by Gateway API, if you don't have the feature gate enabled, the ClusterTrustBundle resource type won't exist and there will be no way to refer to a ClusterTrustBundle resource in the Gateway resource... which is why I'm asking what using ClusterTrustBundle would look like. 🙂
(I really, really do not want Gateway API to ship definitions for resources defined by the Kubernetes core, ever.)
ClusterTrustBundle is also a cluster-scoped resource, which feels a bit less than ideal, but that's a much much smaller problem in my mind.
There was a problem hiding this comment.
This is also an alpha (experimental) feature. It seems problematic that an experimental feature cannot depend on a Beta feature, and instead we are just re-inventing the exact thing ClusterTrustBundle was designed for
There was a problem hiding this comment.
Yeah, this isn't a question about semantics, I kind of agree with you in principle. 🙂 I'm asking about mechanics here: how, technically, can we use ClusterTrustBundle on a cluster where the APIserver does not have any resource type defined under that name?
Saying "you have use K8s 1.33 or enable the feature gate" feels problematic.
There was a problem hiding this comment.
The options here are:
- we only add
trustBundleinline for now, with a note about how we will add ClusterTrustBundle in the future. - we add both for now, with a note that once ClusterTrustBundle is more available in Gateway API supported versions, we will remove the inline
trustBundle. We can get away with that as long as this resource is Experimental. - We only add
trustBundle, and say "run 1.33 or later, or enable an alpha feature to use this". This would require us to specify the behavior for implementations; since this has a FeatureName anyway, there is a mechanism to say "requires k8s 1.33 or alpha feature enabled to work", although we've never done that before.
Because Gateway API's claimed Kubernetes support is five versions, the last would mean that we would need to wait nearly two years before bringing this API to GA in options 2 or 3. That feels like a longer timeline than people would expect for this. Unless we are okay with doing 3 and adding features that are not supported across all supported Kubernetes versions, which does not seem optimal to me.
@robscott for his thoughts on this one too.
There was a problem hiding this comment.
Actually, I just checked, and ClusterTrustBundle is only beta, and not enabled by default in v1.33, so this would be even longer. (See https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles for the reference)
At a minimum, if ClusterTrustBundle moves to Stable in v1.34, then the only time we could allow it with no caveats is as of Kubernetes v1.38, which is in just over two years.
In short; my thoughts here are that we can add a ClusterTrustBundle reference with a feature name and a version caveat at best. But we need something for before then as well.
There was a problem hiding this comment.
We have similar (though less restrictive) versioning issues for using ClusterTrustBundle within GKE. The approach we took was to make a CustomResource ("GKEClusterTrustBundle") that had exactly the same shape as ClusterTrustBundle, and have our controllers understand both types.
There was a problem hiding this comment.
Elsewhere in GW API when we've dealt with configure CA certs we've started with config maps with the idea that we'd add support for ClusterTrustBundle as it became more broadly available. That seems like a reasonable approach here, with the distinction that ClusterTrustBundle is likely going to go to GA in v1.35, so it would be good to consider that our default starting point with ConfigMap as the legacy backfill option from the outset.
geps/gep-3792/index.md
Outdated
| - The mesh MUST use an mTLS certificate ultimately signed by a certificate in | ||
| the trust bundle provided to the OCG. | ||
|
|
||
| - The OCG MUST send the `ocg.gateway.networking.k8s.io/v1` ALPN protocol |
There was a problem hiding this comment.
This applies to the whole proposal in general but specifically this line. There are 3 OCG implementations today. I would think to make this viable we need at least 2 to agree to this.
I know that, unless things have changed, using a custom ALPN is the hill at least one cloud will die on and will never support
There was a problem hiding this comment.
I'm not comfortable making this a MUST. Custom ALPNs are certainly a way to signal mTLS, but different implementations may use tunneling protocols like HBONE instead.
There was a problem hiding this comment.
@keithmattix and I discussed this on Slack a bit, since I'm very uncomfortable with making this a MAY and then having, say, the OCG expecting ALPN, the mesh expecting HBONE, but they both believe that they "support GEP-3792 OCG".
As Keith noted on Slack, though, it doesn't really make sense to require a mesh to only support one mechanism for solving the protocol problem, and it follows that it probably does make sense to add an explicit field to the Gateway and Mesh resources to say what the signalling mechanism is. That also permits warning Chihiro if the Gateway and Mesh disagree on what's offered. I'll add that.
There was a problem hiding this comment.
Also, to @howardjohn's point: we explicitly say in "Graduation Criteria" section that we require at least two OCG implementations and at least two mesh implementations. Leaving aside the choice of hills upon which to die... 🙂
There was a problem hiding this comment.
it follows that it probably does make sense to add an explicit field to the Gateway and Mesh resources to say what the signalling mechanism is. That also permits warning Chihiro if the Gateway and Mesh disagree on what's offered. I'll add that.
This makes me a bit nervous in that we could end up with n different protocols that OCGs would need to support here. Maybe this is unavoidable, but I'd really like to minimize the variations here if we can. The larger the number of variations here, the less likely it is that an OCG is going to be able to support them.
geps/gep-3792/index.md
Outdated
| - The mesh MUST use an mTLS certificate ultimately signed by a certificate in | ||
| the trust bundle provided to the OCG. | ||
|
|
||
| - The OCG MUST send the `ocg.gateway.networking.k8s.io/v1` ALPN protocol |
There was a problem hiding this comment.
I'm not comfortable making this a MUST. Custom ALPNs are certainly a way to signal mTLS, but different implementations may use tunneling protocols like HBONE instead.
|
I won't get much of a chance to watch this one further, but the main point I wanted to add is that, because this is TLS config for a Gateway, it's important that we define the interaction (or lack thereof) with consumer BackendTLSPolicy as per #3875. FTR, I think that saying "they are for different things, the only interaction is to end up with TLS-in-TLS, which is dumb, so you should avoid that". is fine by me. |
geps/gep-3792/index.md
Outdated
| for [Chihiro] and [Ian], _and_ it limits us to only having entire | ||
| namespaces meshed. | ||
|
|
||
| 6. Add a label selector to the Gateway resource and declare that Routes with |
There was a problem hiding this comment.
just a thought - how about an explicit mesh MTLS policy that targetRefs a service? the meshMTLS policy would indicate to both the OCG and Mesh Clients that they need to use Mesh MTLS to talk to the service.
the explicit meshMTLS policy can be either created by the user or the mesh controller creates a default one for every service that is meshed. The user would override the default one if they wish to tweak the default settings - for e.g override the SAN checks, or SNI or disable/enable MTLS perhaps (any kind of outbound setting).
There was a problem hiding this comment.
FWIW in Istio (and probably linkerd and every other mesh), the mesh TLS is a property of a workload (Pod) not service. So workloads within the same Service may not actually have the same properties
There was a problem hiding this comment.
@howardjohn I don't think that we should expect Gateways to be able to differentiate TLS configuration per workload, that would be a huge increase in scope/complexity for many Gateway implementations. Instead, it seems simpler to focus on the common attributes that Gateways can understand (Service, Namespace, etc).
(You may not have been suggesting that Gateways should be able to understand per-Pod TLS config, so sorry if I'm misunderstanding here).
There was a problem hiding this comment.
I am not necessarily suggesting we do, but to properly handle all cases you would need to
geps/gep-3792/index.md
Outdated
| as application-level mTLS that they should treat as an opaque data stream, | ||
| or they may simply refuse it. This alternative, therefore, both shifts the | ||
| entire burden of implementation to the meshes, and probably makes it | ||
| impossible to correctly handle application-level mTLS. |
There was a problem hiding this comment.
just wanted to mention that GKE Mesh is a notable exception (atleast partially). We use simply use bare mtls connection. And yes, we're subject to the downsides mentioned above. But the upside of interoperability between various GCP (off-GCP) data planes with GKE Mesh workloads using standard MTLS was/is deemed to be more important (i.e don't run into the protocol problem).
my intention with this comment is NOT to say custom protocol shouldn't be supported, but to point out that there are implementations that just use bare/standard mtls.
geps/gep-3792/index.md
Outdated
| gatewayClassName: ocg-gateway-class | ||
| ... | ||
| mesh: # All mesh-related configuration goes here | ||
| trustBundle: |
There was a problem hiding this comment.
can we allow for some kind of extensibility here to indicate Platform MTLS? The Platform MTLS is a feature of the cloud platform (e.g GKE Managed Workload Certificates) or the mesh vendor (e.g Istio) where the certs and trust bundle is provisioned by the platform for each workload and OCG automatically. In such cases, User need not configure the k8s Secret explicitly reducing toil.
There was a problem hiding this comment.
same comment for the counterpart in Mesh resource.
There was a problem hiding this comment.
or would clusterTrustBundle (or the gkeClusterTrustBundle) be able carry the info for the platform MTLS? @ahmedtd to confirm. If that's the case, then supporting clusterTrustBundle be the path forward for indicating platform MTLS.
There was a problem hiding this comment.
GKE Managed Workload Certificates uses GKEClusterTrustBundle, which is an identical copy of ClusterTrustBundle as a custom resource. We intend to migrate to ClusterTrustBundle for in-cluster distribution of trust anchors.
There was a problem hiding this comment.
@ahmedtd @karthikbox just to make sure I'm following this thread correctly, it sounds like ClusterTrustBundle (or an equivalent) would work well here, even for Platform mTLS?
geps/gep-3792/index.md
Outdated
| 3. Add a field to the Route resource that indicates whether the Route is | ||
| meshed. This feels like quite a bit of an imposition on [Ana] (and, again, | ||
| if we do our jobs correctly, [Ana] shouldn't need to think about this). |
There was a problem hiding this comment.
Maybe I am missing something, cant we use parentRef: <ANY_SERVICE>?
There was a problem hiding this comment.
The OCG won't be able to see a Route unless it has a parentRefs entry for the OCG itself. It feels quite strange to also have the OCG (a Gateway) look at other parentRefs entries to figure out if a mesh is involved?
geps/gep-3792/index.md
Outdated
| - The OCG MUST use an mTLS certificate ultimately signed by a certificate in | ||
| the trust bundle provided to the mesh. |
There was a problem hiding this comment.
I thought this trust bundle was configured on the mesh resource? This may be saying that, but it's a bit confusing to me.
geps/gep-3792/index.md
Outdated
| - The OCG MUST use an mTLS certificate ultimately signed by a certificate in | ||
| the trust bundle provided to the mesh. | ||
|
|
||
| - The mesh MUST use an mTLS certificate ultimately signed by a certificate in |
There was a problem hiding this comment.
Can we call this a client cert? Is the Gateway supposed to generate this on their own, or can/should a mesh provide client cert(s) for Gateway(s) to use?
geps/gep-3792/index.md
Outdated
| - The mesh MUST use an mTLS certificate ultimately signed by a certificate in | ||
| the trust bundle provided to the OCG. | ||
|
|
||
| - The OCG MUST send the `ocg.gateway.networking.k8s.io/v1` ALPN protocol |
There was a problem hiding this comment.
it follows that it probably does make sense to add an explicit field to the Gateway and Mesh resources to say what the signalling mechanism is. That also permits warning Chihiro if the Gateway and Mesh disagree on what's offered. I'll add that.
This makes me a bit nervous in that we could end up with n different protocols that OCGs would need to support here. Maybe this is unavoidable, but I'd really like to minimize the variations here if we can. The larger the number of variations here, the less likely it is that an OCG is going to be able to support them.
geps/gep-3792/index.md
Outdated
| The discovery problem is that not every workload in the cluster is required to | ||
| be meshed, which means that the OCG needs a way to know whether a given | ||
| connection must participate in the mesh or not. In practice, this isn't | ||
| actually a question of _workloads_ but of _Routes_: the point of interface | ||
| between a Gateway and a workload in the cluster is not a Pod or a Service, but | ||
| rather a Route. |
There was a problem hiding this comment.
It seems like we care less about which workloads have a mesh Route, and more about which workloads have automatic mTLS provided by a Mesh. My understanding is that most mesh implementations provide automatic mTLS/mesh transport for a broader set of workloads, and that's what we want Gateways to care about when connecting to backends with mTLS following this mesh config.
geps/gep-3792/index.md
Outdated
| for [Chihiro] and [Ian], _and_ it limits us to only having entire | ||
| namespaces meshed. | ||
|
|
||
| 6. Add a label selector to the Gateway resource and declare that Routes with |
There was a problem hiding this comment.
I'm trying to understand the mechanics of this. Does this selector only apply to Routes that are attached to each relevant Gateway? Are Gateway implementations supposed to look at mesh Routes?
geps/gep-3792/index.md
Outdated
| for [Chihiro] and [Ian], _and_ it limits us to only having entire | ||
| namespaces meshed. | ||
|
|
||
| 6. Add a label selector to the Gateway resource and declare that Routes with |
There was a problem hiding this comment.
@howardjohn I don't think that we should expect Gateways to be able to differentiate TLS configuration per workload, that would be a huge increase in scope/complexity for many Gateway implementations. Instead, it seems simpler to focus on the common attributes that Gateways can understand (Service, Namespace, etc).
(You may not have been suggesting that Gateways should be able to understand per-Pod TLS config, so sorry if I'm misunderstanding here).
geps/gep-3792/index.md
Outdated
| gatewayClassName: ocg-gateway-class | ||
| ... | ||
| mesh: # All mesh-related configuration goes here | ||
| trustBundle: |
There was a problem hiding this comment.
Elsewhere in GW API when we've dealt with configure CA certs we've started with config maps with the idea that we'd add support for ClusterTrustBundle as it became more broadly available. That seems like a reasonable approach here, with the distinction that ClusterTrustBundle is likely going to go to GA in v1.35, so it would be good to consider that our default starting point with ConfigMap as the legacy backfill option from the outset.
geps/gep-3792/index.md
Outdated
| spec: | ||
| gatewayClassName: ocg-gateway-class | ||
| ... | ||
| mesh: # All mesh-related configuration goes here |
There was a problem hiding this comment.
Why is this on the Gateway? This feels like configuration that could live on the Mesh resource?
geps/gep-3792/index.md
Outdated
| selector: | ||
| matchLabels: | ||
| linkerd.io/inject: "true" # or whatever label is appropriate |
There was a problem hiding this comment.
As I understand it, this selector is intended to select namespaces and routes. I'm very nervous about a multi-resource selector here though. My understanding is that the primary reason for considering Routes here is when only a portion of a namespace is part of a mesh. Would it be reasonable to keep a label selector for namespaces, and then opt-out per Service or Service Port?
The rationale for that would be:
- The selector is clearly for a single kind of resource
- We still provide a way to opt-out subsets of a namespace
- We're using granularities that are already well understood by a Gateway (my guess is that it will be difficult for some implementations to configure mTLS per route rule, but quite simple per backend as we're already doing with BackendTLSPolicy)
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
the
do-not-merge/work-in-progress
kflynn
force-pushed
the
flynn/gep-3792
branch
2 times, most recently
from
a5e438e to
f5a7b01
Compare
k8s-ci-robot
added
size/M
kflynn
changed the title
|
I'm making this PR ready for review again because the API stuff is moving. However, I'm leaving many comments unresolved since they're relevant for other GEPs. |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: kflynn The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-rebase
Signed-off-by: Flynn <[email protected]>
…e Mesh resource, and define that the API will be different GEPs. Signed-off-by: Flynn <[email protected]>
Signed-off-by: Flynn <[email protected]>
Signed-off-by: Flynn <[email protected]>
k8s-ci-robot
removed
the
needs-rebase
|
@kflynn: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| @@ -1,10 +1,17 @@ | |||
| # GEP-3792: Out-of-Cluster Gateways | |||
|
|
|||
| * Issue: [#3792](https://github.com/kubernetes-sigs/gateway-api/issues/3792) | |||
| * Status: Provisional | |||
| * Status: Memorandum | |||
There was a problem hiding this comment.
| * Status: Memorandum | |
| * Status: Deferred |
GEP-3792 is becoming Memorandum, defining the problems that need solving for OCG support.
#3950 is the new GEP that defines the Mesh resource.
An API GEP to allow experimenting with OCG support will arrive shortly.
/kind gep