calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

Felix supports authenticating with user/password etcd

Open bienkma opened this issue 2 years ago • 7 comments

Description

  • Calico-Felix does not support authenticating username and password with etcd. As the result, the Etcd cluster can not be enabled in authenticated mode. we can't set role base access to every Felix agent. When Felix agent is hacked, a hacker can change rules and execute more actions.

Todos

  • [x] Add configuration username password to felix agent
  • [x] example /etc/calico/felix.cfg file
DatastoreType=etcdv3
EtcdEndpoints=https://127.0.0.1:2379
EtcdCertFile=/home/bienkma/tmp/server.crt
EtcdCaFile=/home/bienkma/tmp/ca.pem
EtcdKeyFile=/home/bienkma/tmp/server.pem
LogPrefix=/var/log/calico/felix.log
EtcdUsername=calico-ro
EtcdPassword=change_me

bienkma avatar Apr 28 '22 02:04 bienkma

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 28 '22 02:04 CLAassistant

Hey @bienkma ! Sorry for the delay. We'll need to look at this PR.

I don't recall how etcd auth is handled in the other Calico components but is the approach in this PR the same? I wonder if we'll need to update the calico-etcd manifest as well (https://projectcalico.docs.tigera.io/manifests/calico-etcd.yaml)

lmm avatar Jun 28 '22 16:06 lmm

Hi @lmm I have not just seen what you mention. I created the PR when setup calico-Felix on VM/Physical server for hostEndpoint and grant policy. I didn't test with Kubernetes and other components

bienkma avatar Jun 30 '22 04:06 bienkma

@bienkma We definitely already have that support, because it is used when Felix is run with OpenStack. I will try to find a pointer for you...

nelljerram avatar Jun 30 '22 16:06 nelljerram

@bienkma You should be able to specify an etcd username and password with these environment variables: CALICO_ETCD_USERNAME or ETCD_USERNAME CALICO_ETCD_PASSWORD or ETCD_PASSWORD Please give those a try.

nelljerram avatar Jun 30 '22 16:06 nelljerram

@bienkma You should be able to specify an etcd username and password with these environment variables: CALICO_ETCD_USERNAME or ETCD_USERNAME CALICO_ETCD_PASSWORD or ETCD_PASSWORD Please give those a try.

I don't remember exactly the calico-felix version which I did on 04/2022 but I tried those environment and not work. Note: I only use calico-felix to manage iptables policy on VM/Physical server.

bienkma avatar Jul 02 '22 07:07 bienkma

Yep, I believe these are the config values that we would expect to work: https://github.com/projectcalico/calico/blob/177db3b4babbbfe0a027d9770c1deb6af65fec42/libcalico-go/lib/apiconfig/apiconfig.go#L54-L55

Should work for VM / physical server use-case. I think we'll need to dig into why those didn't work for you before we merge any changes here.

caseydavenport avatar Aug 09 '22 16:08 caseydavenport

@bienkma , If you're still seeing issues with this, would you mind opening an issue so we can follow up with it there? I think in light of the changes we already have, these may not be needed so I'll close this, but we can always reopen this if necessary.

mgleung avatar Sep 19 '22 22:09 mgleung