azure: Use IMDS attested metadata document for node identity#18163
azure: Use IMDS attested metadata document for node identity#18163hakman wants to merge 1 commit intokubernetes:masterfrom
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
|
/test pull-kops-e2e-azure-cni-cilium |
k8s-ci-robot
added
the
size/XXL
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
area/provider/azure
|
/test pull-kops-e2e-azure-cni-cilium |
1 similar comment
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
force-pushed
the
azure-instance-identity
branch
from
31832b8 to
ea903e7
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
force-pushed
the
azure-instance-identity
branch
from
ea903e7 to
8b7efcc
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
force-pushed
the
azure-instance-identity
branch
from
8b7efcc to
6de77fe
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
force-pushed
the
azure-instance-identity
branch
from
6de77fe to
cb40b63
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
force-pushed
the
azure-instance-identity
branch
from
cb40b63 to
04ff5b6
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
Replace the resourceID+vmID token with a PKCS7-signed attested metadata document from the Azure IMDS. The authenticator queries the attested document endpoint, and the verifier validates the PKCS7 signature chain, checks the nonce and expiration, then cross-verifies the signed vmId against the Azure API response. Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
hakman
force-pushed
the
azure-instance-identity
branch
from
04ff5b6 to
a21b2fc
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
1 similar comment
|
/test pull-kops-e2e-azure-cni-cilium |
2 participants
Replace the resourceID+vmID token with a PKCS7-signed attested metadata document from the Azure IMDS. The authenticator queries the attested document endpoint, and the verifier validates the PKCS7 signature chain, checks the nonce and expiration, then cross-verifies the signed vmId against the Azure API response.
flowchart TD A[VerifyToken] --> B{ResourceID scope valid?} B -- no --> X1[reject] B -- yes --> C[Verify PKCS7 signature + SAN] C --> D[Check nonce + freshness] D --> E{Embedded cert chain valid?} E -- yes --> G E -- no --> F{Matching issuer embedded?} F -- yes --> X2[reject: broken chain] F -- no --> F1[Fetch intermediates from Microsoft PKI] F1 --> F2{Chain valid now?} F2 -- no --> X3[reject] F2 -- yes --> G G{Attested subscriptionId matches?} G -- no --> X4[reject] G -- yes --> H[Azure API: get VM] H --> I{Attested vmId == API vmId?} I -- no --> X5[reject] I -- yes --> J[Return node identity ✓]