Document approaches for infrastructure providers to consider for securing sensitive bootstrap data #1739
Description
User Story
As a user/operator, I would like to avoid exposing sensitive data (such as certificate private keys) in hypervisor bootstrap data to minimize attack surfaces.
Detailed Description
CAPI generates sensitive cluster data (such as private keys) for the apiserver, etcd, etc. These are stored as secrets in Kubernetes. The kubeadm bootstrapper copies the contents of the secrets into bootstrap data in the KubeadmConfig resource, which is then copied into the Machine resource. Infrastructure providers such as CAPA and CAPV (and presumably others that use cloud-init style bootstrap data) use this bootstrap data as the user data for the VM/hypervisor. In many/most instances, if a user has read-only access to the VM in the provider's API (such as AWS's ec2:DescribeInstances permission), this likely grants them access to the user data, and therefore access to the sensitive data.
Ideally, the VM itself has permission to read the sensitive data, but a user with cloud provider API access to the VM must not be able to do so.
The method used to secure this sensitive data is likely specific to each infrastructure provider. We should document what types of mechanisms to look for (such as a secure data store) so the developers of an infrastructure provider can implement this functionality.
/kind documentation
/priority important-soon
/milestone v0.3.0