Cluster API: Node lifecycle extension points


As part of the node-lifecycle workstream, we are collecting user stories for extension points for node lifecycle management here, and/or in this blank KEP.

For a reminder, node lifecycle management relates to the creation of machines, the joining of them to a Kubernetes cluster, and any Day 2 operations thereof, as well as their eventual deletion.

Extension mechanism here relates to the provider specific things that would need to be done as far as node lifecycle management goes.

Cluster API: Node lifecycle management workstream

One thing that keeps me up at night (not really) is how to prove a node really should belong to a cluster.

For instance, NIST specifically call out using TPM measurements (Countermeasure 4.6, NIST SP 800-190) to ensure node identity. vSphere and Hyper-V both support vTPMs for this purpose. AWS provide Instance Identity Documents that can be used to verify an instance’s identity.

I would like to see one of these extension points be a host attestation hook, which can be a no-op in the general case (if the node has a token, then so be it), but allow someone to use provider specific attestation mechanisms to guarantee node identity.

This can then be used to set labels from a controller level rather than allowing kubelet to set its own labels.