k8s icon indicating copy to clipboard operation
k8s copied to clipboard

Published 20 hours ago verified publisher icon cockroachdb

Concerns about using the common name "root" in our root client cert

Open a-robinson opened this issue 6 years ago • 3 comments

As discussed at https://youtu.be/JMCCeAb9eY4?t=1h41s, using the common name "root" for the root client inside a Kubernetes cluster is a bad idea, because it could potentially give the certificate root access to the Kubernetes cluster itself (given that we're using the Kubernetes cluster's CA). We should try to scope this down using some other common name if possible.

@mberhault

a-robinson avatar Mar 02 '18 23:03 a-robinson

Given the fact that root is a hard-coded user in cockroach, I'm not entirely sure this is feasible. We could create a less common username and add it to the newly-introduced admin role (eg: crdb-root) and grant a certificate for that, but there's still nothing preventing you from creating a certificate for root and leaking it.

mberhault avatar Mar 08 '18 14:03 mberhault

I think the point is that we should mark our user certificates in some way instead of just interpreting the common name on any cert from our CA as a username. (if this is an issue, it sounds like kubernetes may have made the same mistake).

bdarnell avatar Mar 08 '18 17:03 bdarnell

We have to use the CN with exactly the user name, or we're not longer pg compatible. see: https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-CERT

If k8s does the same, and only requires a valid certificate chain and the client auth capability, then there's not much we can do in the certificate itself.

mberhault avatar Mar 08 '18 18:03 mberhault