So Istio’s root ca cert is readily available as a kubernetes secret in the istio-system namespace, even if istio-system namespace access is isolated if someone acquires access to the k8s secret they can get the ca.key in plaintext and later use that key to sign any number of additional certificates. Our company sees this as a security risk so I’m wondering if it’s possible to have an air tight solution so that the root ca cert is not available easily? Would love to learn how other companies use this in production as well.
There is a plan to integrate with External CA’s so that the private signing keys are not in the K8s Clusters at all. There is a general RFC to describe this. There is also a demo feature that interfaces with an external CA interoperable with K8s CSR Istio / Custom CA Integration using Kubernetes CSR [experimental]. More active development on this is expected for Istio 1.10.