Securing Istio PKI

Hey
As I understand, the PKI is the most sensitive part of Istio - and a compromise root certificate allows a hacker to impersonate any service. How can I protect the root certificate? Something besides Vault CA integration? I’ll be happy to read more about the security model and have a deeper understanding - is there something like a public threat model available?

Thanks!
Omer

You ask two different questions. What is Istio PKI root threat model or how to plug the PKI infra other than Vault?

For the first one, the doc I’m aware of is https://istio.io/docs/concepts/security/#node-agent-in-kubernetes. Prior SDS, root are delivered via secret mounts; in 1.1 SDS introduced, root can be delivered via SDS via Citadel Agent.

If for the second one, that’s interesting. Do you mind sharing more requirements about pluggability?

It really depend on the threat model - meaning, intuitively, I want to say that I would like to have HSM protections for the root CA. So either support for systems like Azure KeyVault or PKCS11. This will make it almost impossible to extract the keys and give built-in audit capabilities. As this is the root of trust of the authentication, this is pretty important.

There is some work to support HSMs, but is still in early phase as far as I know: Review request - Istio CA key protection using SoftHSM