Securing Istio PKI

Hey
As I understand, the PKI is the most sensitive part of Istio - and a compromise root certificate allows a hacker to impersonate any service. How can I protect the root certificate? Something besides Vault CA integration? I’ll be happy to read more about the security model and have a deeper understanding - is there something like a public threat model available?

Thanks!
Omer

You ask two different questions. What is Istio PKI root threat model or how to plug the PKI infra other than Vault?

For the first one, the doc I’m aware of is https://istio.io/docs/concepts/security/#node-agent-in-kubernetes. Prior SDS, root are delivered via secret mounts; in 1.1 SDS introduced, root can be delivered via SDS via Citadel Agent.

If for the second one, that’s interesting. Do you mind sharing more requirements about pluggability?

It really depend on the threat model - meaning, intuitively, I want to say that I would like to have HSM protections for the root CA. So either support for systems like Azure KeyVault or PKCS11. This will make it almost impossible to extract the keys and give built-in audit capabilities. As this is the root of trust of the authentication, this is pretty important.

There is some work to support HSMs, but is still in early phase as far as I know: Review request - Istio CA key protection using SoftHSM

1 Like

Reviving an old but still relevant topic. I believe what @omerlh had in mind was some publication like https://www.vaultproject.io/docs/internals/security.html.

I’m especially interested in understanding what safeguards there are with respect to self-signed certificates and if you execute any of the commonly known mitigations like certificate pinning.