Unauthorized access for transport level


My ES nodes are in k8s cluster and the transport port is closed for public access. Nodes in a cluster can spawn and be removed at any time. Keystores are generated for each node during runtime and I can’t provide a trusted signing CA certificate that will be same for all ES instances.

The first my idea was to disable ssl for transport layer, but keep it enabled for the rest layer. But, according to https://github.com/floragunncom/search-guard/issues/364 it is not possible.

Is it possible to prohibit certificate validation for all nodes by some configuration settings? I want to grant connection between nodes regardless of their signing certificates.

I don’t think this is possible. TLS encryption on transport layer is a building block of our security infrastructure and cannot be switched off in Search Guard (and other ES security solutions for that matter).

You can however have more than one trusted signing CAs. And it’s also possible (but less safe) to use one certificate for transport TLS on all nodes.

@cstaley any more thoughts here?

Jochen is right - that is not possible (by design).

Why you can not provide a root or signing CA for all nodes?

As I said in the first post, my ES+SG nodes live in containers.

I have 2 options for how to provide the same signing CA for all nodes:

  1. To generate and add it during the image build.
  2. Require the user to generate it before running the instance and somehow add it to the containers.

The first option doesn’t work, because all instances created from my images will have the same signing CA. Thus, any user from any instance will have an administrative certificate and administrative access to any other instance.

The second option doesn’t work, because I would like to provide the simplest and automated use of my images. User must perform additional steps to generate a root and signing CA before running his instance. Then user must push the signing CA to the containers. Mechanism for pushing the signing CA will be different for different container orchestration systems.

To avoid the disadvantages of these two options, I had a plan to generate a signing CA and other certificates for each node in the instances at the start. But with this scenario, individual nodes will not communicate because of different signing CA. That why I asked for possibility to use plain http for the transport layer.

But that is looks like not possible.

So, now I have a plan to use option#1 (when root/signing CA are generated during image build time), but to disable client certificates for the REST layer. Thus, user from one instance will not have access to other instances by administrative certificate. It seems this solution meets my requirements.

Thank you for your help and support!

You can use different intermediate certificates for this maybe.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.