From 47cb22bfc0fdfec6a2b03fc17061e9ed5cf1c568 Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Tue, 7 Oct 2025 11:26:13 +0000 Subject: [PATCH 1/3] docs: add provisional GEP for flexible TLS Validation in BackendTLSPolicy Signed-off-by: Norwin Schnyder --- geps/gep-4152/index.md | 65 +++++++++++++++++++++++++++++++++++++ geps/gep-4152/metadata.yaml | 7 ++++ 2 files changed, 72 insertions(+) create mode 100644 geps/gep-4152/index.md create mode 100644 geps/gep-4152/metadata.yaml diff --git a/geps/gep-4152/index.md b/geps/gep-4152/index.md new file mode 100644 index 0000000000..6fd6df04be --- /dev/null +++ b/geps/gep-4152/index.md @@ -0,0 +1,65 @@ +# GEP-4152: Allow flexible TLS Validation in BackendTLSPolicy + +* Issue: [#4152](https://github.com/kubernetes-sigs/gateway-api/issues/4152) +* Status: Provisional + +## TLDR + +The ability for the `BackendTLSPolicy` to skip TLS verification or to validate +certificates based on their fingerprint or public key hash. + +## Motivation + +The current `BackendTLSPolicy` follows a secure-by-default approach that requires +users to provide a trusted CA certificate bundle or rely on the system’s default +certificate store (which typically includes root CAs) to validate backend server +certificates. However, real-world deployments include cases where strict +certificate validation may not be possible or practical, e.g., Development and +testing environments that use self-signed certificates generated dynamically at +runtime. + +In such scenarios, users may need the flexibility to disable certificate +verification or to use certificate pinning. Certificate pinning offers a safer +and more controlled alternative, instead of bypassing TLS validation, the gateway +verifies that the backend’s certificate matches a known fingerprint or public key +hash. This preserves the confidentiality and integrity guarantees of TLS while +removing the operational overhead of managing full certificate chains or trusted +CA bundles. + +### User Stories + +* As an application developer, I want the option to disable backend TLS + certificate verification on a per-backend basis, so I can connect to services + using dynamically generated or self-signed certificates during development or + testing. +* As an application developer, I want secure-by-default behavior, ensuring that + certificate verification is always enabled unless I explicitly opt out, to + prevent accidentally deploying insecure configurations to production. +* As an application developer, I want an alternative to disabling verification, + such as certificate or SPKI pinning, so I can securely communicate with + backends using self-signed certificates without managing CA bundles. +* As a gateway operator, I want to control whether skipping TLS verification is + permitted for specific Gateways. +* As a security officer, I want transparency and auditability into where TLS + verification has been disabled. + +## Goals + +* Enable connecting to backends over TLS without requiring certificate + validation. +* Support certificate and SPKI pinning as alternatives to disabling verification + or relying on CA trust chains. +* Maintain a secure-by-default approach, with certificate verification enabled + unless explicitly opted out. +* Provide operator-level controls so Gateway constraints can restrict or permit + the use of skip-verify. + +## API + +**TODO**: First PR will not include any implementation details, in favor of +building consensus on the motivation, goals and non-goals first. _"How?"_ we +implement shall be left open-ended until _"What?"_ and _"Why?"_ are solid. + +## References + +* [GEP-1897: BackendTLSPolicy - Explicit Backend TLS Connection Configuration](https://gateway-api.sigs.k8s.io/geps/gep-1897/) diff --git a/geps/gep-4152/metadata.yaml b/geps/gep-4152/metadata.yaml new file mode 100644 index 0000000000..37c5567d22 --- /dev/null +++ b/geps/gep-4152/metadata.yaml @@ -0,0 +1,7 @@ +apiVersion: internal.gateway.networking.k8s.io/v1alpha1 +kind: GEPDetails +number: 4152 +name: Allow flexible TLS Validation in BackendTLSPolicy +status: Provisional +authors: + - snorwin From afe8ca215ced6fe70d3984e1dac5e2e041b79dc7 Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Tue, 7 Oct 2025 14:43:18 +0000 Subject: [PATCH 2/3] Update metadata Signed-off-by: Norwin Schnyder --- geps/gep-1897/metadata.yaml | 3 +++ geps/gep-4152/index.md | 2 +- geps/gep-4152/metadata.yaml | 5 ++++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/geps/gep-1897/metadata.yaml b/geps/gep-1897/metadata.yaml index 99d5444aa3..afad0e64bc 100644 --- a/geps/gep-1897/metadata.yaml +++ b/geps/gep-1897/metadata.yaml @@ -15,3 +15,6 @@ relationships: - number: 1282 name: Describing Backend Properties description: Implements just part of the Backend Properties GEP. +extendedBy: + - number: 4152 + name: Extending TLS Validation in BackendTLSPolicy diff --git a/geps/gep-4152/index.md b/geps/gep-4152/index.md index 6fd6df04be..f4f482a0fe 100644 --- a/geps/gep-4152/index.md +++ b/geps/gep-4152/index.md @@ -1,4 +1,4 @@ -# GEP-4152: Allow flexible TLS Validation in BackendTLSPolicy +# GEP-4152: Extending TLS Validation in BackendTLSPolicy * Issue: [#4152](https://github.com/kubernetes-sigs/gateway-api/issues/4152) * Status: Provisional diff --git a/geps/gep-4152/metadata.yaml b/geps/gep-4152/metadata.yaml index 37c5567d22..e1c16ce5eb 100644 --- a/geps/gep-4152/metadata.yaml +++ b/geps/gep-4152/metadata.yaml @@ -1,7 +1,10 @@ apiVersion: internal.gateway.networking.k8s.io/v1alpha1 kind: GEPDetails number: 4152 -name: Allow flexible TLS Validation in BackendTLSPolicy +name: Extending TLS Validation in BackendTLSPolicy status: Provisional authors: - snorwin +extends: + - number: 1897 + name: BackendTLSPolicy - Explicit Backend TLS Connection Configuration From b77aa0c55ef1cfcbc5984679a18a5a1575f2b2ef Mon Sep 17 00:00:00 2001 From: Norwin Schnyder Date: Wed, 8 Oct 2025 07:23:12 +0000 Subject: [PATCH 3/3] Add goal for runtime indicators Signed-off-by: Norwin Schnyder --- geps/gep-4152/index.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/geps/gep-4152/index.md b/geps/gep-4152/index.md index f4f482a0fe..662db855b6 100644 --- a/geps/gep-4152/index.md +++ b/geps/gep-4152/index.md @@ -38,7 +38,7 @@ CA bundles. * As an application developer, I want an alternative to disabling verification, such as certificate or SPKI pinning, so I can securely communicate with backends using self-signed certificates without managing CA bundles. -* As a gateway operator, I want to control whether skipping TLS verification is +* As a gateway operator, I want to control whether skipping TLS validation is permitted for specific Gateways. * As a security officer, I want transparency and auditability into where TLS verification has been disabled. @@ -46,13 +46,15 @@ CA bundles. ## Goals * Enable connecting to backends over TLS without requiring certificate - validation. + verification. * Support certificate and SPKI pinning as alternatives to disabling verification or relying on CA trust chains. * Maintain a secure-by-default approach, with certificate verification enabled unless explicitly opted out. * Provide operator-level controls so Gateway constraints can restrict or permit the use of skip-verify. +* Provide clear runtime indicators that security is degraded when TLS validation + is disabled. ## API