[5/8] coordinator: support insecure manifests behind opt-in#2356
[5/8] coordinator: support insecure manifests behind opt-in#2356msanft wants to merge 2 commits into
Conversation
4a00b00 to
657abac
Compare
552c173 to
27802b6
Compare
27802b6 to
7073c58
Compare
657abac to
41b8d92
Compare
7073c58 to
af50bbe
Compare
41b8d92 to
c596cca
Compare
72898ef to
f2897e6
Compare
af50bbe to
65b519a
Compare
f2897e6 to
91b1df7
Compare
65b519a to
891d7f0
Compare
91b1df7 to
db7cd22
Compare
6223484 to
acaa9fd
Compare
a8f6eb6 to
fd0d094
Compare
9eeeeba to
55e4947
Compare
bbf67f4 to
9da6471
Compare
21d6bec to
1cd7565
Compare
c168265 to
28e1b1e
Compare
b1dd9dc to
746bc55
Compare
28e1b1e to
464e044
Compare
746bc55 to
9b0cc73
Compare
464e044 to
0762a6e
Compare
9b0cc73 to
50a85ba
Compare
0762a6e to
1cff241
Compare
50a85ba to
abb75b8
Compare
62ac3e2 to
9d6a048
Compare
abb75b8 to
2701421
Compare
charludo
left a comment
There was a problem hiding this comment.
Thanks! Sorry review took so long. I have a couple of comments, see below; the one architectural one I want to get your opinion on is if we should allow mixed manifests. Is that something you actually require? Because if not, then I'd strongly urge to allow either all-secure, or all-insecure manifests, no mix.
9b08076 to
f13a5d2
Compare
sespiros
left a comment
There was a problem hiding this comment.
Thanks, I second Charlotte's comment about needing to decide whether we want to allow mixed manifests. My understanding was that we actually do need to do that for the benchmarking use case that triggered this PR series.
If that's the case we should at least close the impersonation gap by adding a per-policy attestation-type binding (which doesn't exist today). An attacker who controls an insecure node can produce an attestation that authenticates as any CC policy in the manifest, because meshapi.NewMeshCert does Policies[hostData] without checking which validator produced the hostData.
For example like:
type PolicyEntry struct {
SANs []string
WorkloadSecretID string
Role Role
AllowedAttestationOIDs []asn1.ObjectIdentifier `json:",omitempty"`
}f7a0675 to
c8c1132
Compare
2701421 to
6bf854e
Compare
I've thought about this for some time now, and couldn't think of a use-case we'd need a mixed manifest for. I second your opinion that it should not be allowed then. |
66d886c to
003a4ba
Compare
003a4ba to
0743b72
Compare
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0743b72 to
b95c24d
Compare
|
ping, this should be ready for another round of review @burgerdev @sespiros @charludo |
Split from #2337 as part of a stacked review series.
Depends on: #2355
This PR wires insecure manifests into the Coordinator behind explicit opt-in:
Closes CON-212