Admin kubeconfig management

The first approach is that we issue client certificates with cluster-admin privileges. This can be done either through Kubernetes' CertificateSigningRequest (CSR) resources, or by manually issuing certificates against a self-signed CA certificate which is installed as a client CA certificate in the cluster.

One point to consider is that Kubernetes doesn’t support issuing client certificates for group system:masters through CSR signer kubernetes.io/kube-apiserver-client. However, group system:cluster-admins is allowed, and functionally equivalent on OpenShift 4.

Note that we can’t revoke certificates issued through CSRs or through a self-managed CA certificate. However, if we use a self-managed CA certificate, we can invalidate any existing certificates by rotating the CA and issuing a new certificate from the new CA.

The second approach is that we setup a Kubernetes service account which is granted cluster-admin privileges through a ClusterRoleBinding and issue service account tokens for that service account.

We’ve got two options to generate tokens for service accounts:

The only way to permanently invalidate service account tokens (both non-expiring and time-bound) is to delete the service account. Creating a new service account with the same name in the same namespace doesn’t reactivate tokens associated with a previous service account, since the tokens contain the service account’s Kubernetes resource UID.

The proposed approach for using service account tokens is to use the TokenRequest API to create short-lived API tokens to generate expiring admin credentials by default. Additionally, introduce a mechanism to force the tool to recreate the service account to invalidate any old tokens that might have leaked. That mechanism might be as simple as having the tool reconcile the service account and recreate it if it gets deleted.

We can extend Steward to manage and renew the credentials and store them in Vault.

This allows us to issue relatively short-lived credentials (on the order of days), which limits the attack surface presented by engineers accessing admin credentials in emergency situations.

Optionally, we can also extend Steward to render a full kubeconfig file based on the managed credentials and store that file in Vault in addition to the raw credentials. If we store a full kubeconfig file in Vault, we can document a single vault CLI command which fetches the emergency kubeconfig for a cluster.

Instead of extending Steward, we could also create a new controller which manages admin credentials and writes them to an external secrets store. This would provide some level of separation of concerns, since managing admin credentials isn’t necessarily part of the Project Syn bootstrap process. Additionally, having a separate tool allows us to have releases independent of the fairly complex Steward release process. Finally, this gives us some freedom, as we’re more decoupled from Project Syn and don’t necessarily need to write the credentials to the Project Syn Vault.

Another approach is to manage and renew the admin credentials by hand.