Skip to content

Istio multicluster authentication options #53992

New issue
New issue
Open
Open
Istio multicluster authentication options#53992
Labels
area/environmentsfeature/Multi-clusterissues related with multi-cluster supportkind/enhancement
@epandolfo-plaid

Description

@epandolfo-plaid
epandolfo-plaid
opened on Nov 20, 2024

Describe the feature request
(versions: latest)

Context

  • The istio multi-cluster docs instruct users to enable endpoint discovery by using istioctl to create a service account token and manually copy it to other clusters (the exactly which clusters depends on the control plane topology).
  • This is sub-optimal for a number of reasons:
    • There does not seem to be a good way to automate the provisioning of this token.
    • It does not get automatically rotated, per security best-practices.
    • It must be manually re-installed in the event the token is invalidated.
    • Should the token become invalid, manual effort is required to manually re-install the token, preventing automated remediation.
  • There might be an alternative approach, but it isn’t very well documented.
    • istioctl create-remote-secret supports arbitrary auth plugins, but does not explain how to use other plugins to generate a secret.

Problem Statement

  • Ideally, there is a well-documented way to connect Istio Clusters without manually copying API Tokens between them.

Possible Solutions

  1. [Extend Authentication Options] Currently only serviceaccount tokens are supported out of the box via istioctl create-remote-secret. Kubernetes supports a lot of different authentication options. It would be great if Istio could provide support out-of-the-box for some of these options, such as client certificates or OIDC tokens.
  2. [API Server Proxy] Alternatively, Istio could expose the requisite API server resources via an internal proxy. This is, for example, how cilium's clustermesh feature is implemented; it exposes endpoints via the clustermesh-apiserver component. Cilium agents in other cluster call into an ingress for the clustermesh-apiserver component, rather than the clusters’ apiserver directly.

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[X] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[X] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

*Additional context*

Metadata

Assignees

No one assigned

    Labels

    area/environmentsfeature/Multi-clusterissues related with multi-cluster supportkind/enhancement

    Type

    No type

    Projects

    Prioritization

    • Status

      > P2

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions