node-feature-discovery icon indicating copy to clipboard operation
node-feature-discovery copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Spiffe support

Open marquiz opened this issue 2 years ago • 15 comments

What would you like to be added:

Support SPIFFE for verifying nfd-worker/labeler IDs. For example, utilize spiffe IDs for verifying the identity of creator of NodeFeature objects, so that an actor from node A will not be able to modify properties of node B. This would also add one extra layer of protection (in addition to RBAC) on who is authorized to modify nodes with NodeFeature objects.

To simplify, gRPC could be possibly left out-of-scope, if needed, as it's being phased out.

Inspired by comment from @AhmedGrati on the node-feature-discovery slack channel.

Why is this needed:

Improved security

marquiz avatar Apr 25 '23 08:04 marquiz

/assign

AhmedGrati avatar Sep 07 '23 21:09 AhmedGrati

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 27 '24 22:01 k8s-triage-robot

/remove-lifecycle stale

AhmedGrati avatar Jan 30 '24 15:01 AhmedGrati

Only comment, is make sure is optional and easy to enable/disable from HELM

ArangoGutierrez avatar Jan 30 '24 15:01 ArangoGutierrez

@ArangoGutierrez yes that's for sure!

AhmedGrati avatar Jan 30 '24 15:01 AhmedGrati

/assign

TessaIO avatar Apr 22 '24 16:04 TessaIO