You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/agentcube/blog/release-v0.1.0/index.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -101,7 +101,7 @@ Key Capabilities:
101
101
102
102
### JWT Security Chain (Router → PicoD)
103
103
104
-
Sandbox pods are ephemeral and may be replaced at any time; embedding a shared secret in cluster config is fragile and hard to rotate. AgentCube establishes an RSA-based trust chain: the Router generates an RSA-2048 key pair at startup, stores the public key in a Kubernetes Secret (`picod-router-identity`), and the Workload Manager injects it as `PICOD_AUTH_PUBLIC_KEY` for `CodeInterpreter` sandboxes when authentication is enabled (the default is `picod`; `none` disables injection). The Router signs short-lived (5-minute) RS256 JWTs for every proxied request. PicoD verifies these tokens entirely in-process — no network round-trip, no shared database.
104
+
Sandbox pods are ephemeral and may be replaced at any time; embedding a shared secret in cluster config is fragile and hard to rotate. AgentCube establishes a two-stage trust chain: the Router generates an RSA-2048 bootstrap key pair at startup, stores the public key in a Kubernetes Secret (`picod-router-identity`), and the Workload Manager injects it as `PICOD_BOOTSTRAP_PUBLIC_KEY` for `CodeInterpreter` sandboxes when authentication is enabled (the default is `picod`; `none` disables injection). A dynamic ECDSA (P-256) session key is then generated for each sandbox instance via an `/init` handshake. The Router signs short-lived (5-minute) ES256 JWTs for every proxied request. PicoD verifies these tokens entirely in-process — no network round-trip, no shared database.
Copy file name to clipboardExpand all lines: docs/design/PicoD-Plain-Authentication-Design.md
+24-15Lines changed: 24 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,13 @@ However, emerging use cases require a more flexible architecture where the clien
12
12
13
13
The existing self-signed key-pair model is incompatible with this centralized management flow, as it bypasses the Router's ability to mediate access. To address this, we propose a new **Plain Authentication** mechanism for `picod`. This design enables the Router/Gateway to manage credentials and connection security, simplifying the client-side workflow while maintaining robust access control.
> The flow described in this document was updated by PR #352 to address cross-sandbox token replay vulnerabilities. The original `PICOD_AUTH_PUBLIC_KEY` environment variable has been renamed to `PICOD_BOOTSTRAP_PUBLIC_KEY` (formerly `PICOD_AUTH_PUBLIC_KEY`).
19
+
>
20
+
> While `PICOD_AUTH_PUBLIC_KEY` is still supported as a fallback for backwards compatibility, deployments should migrate to `PICOD_BOOTSTRAP_PUBLIC_KEY`. Under the new model, this key is only used to verify the bootstrap payload during the `/init` handshake, which establishes a unique session keypair for subsequent requests.
21
+
15
22
## Use Cases
16
23
17
24
### Gateway-Managed Sandbox Access
@@ -28,7 +35,7 @@ To ensure **High Availability (HA)** across multiple Router replicas and enfor
28
35
29
36
- All Router replicas share a single cryptographic identity to function as a unified Token Issuer.
30
37
-**Private Key Storage**: Stored in a Kubernetes Secret (picod-router-identity). The Private Key is accessible only by the Router component.
31
-
-**Public Key Distribution**: Published to a Kubernetes ConfigMap (picod-router-public-key). This is accessible by the WorkloadManager and PicoD instances.
38
+
-**Public Key Distribution**: Published to a Kubernetes ConfigMap (agentcube-bootstrap-identity). This is accessible by the WorkloadManager and PicoD instances.
32
39
33
40
2.**Decoupled Provisioning (WorkloadManager)**:
34
41
@@ -52,13 +59,13 @@ Upon startup, every Router replica executes an **Atomic Initialization Routine*
52
59
- If Missing: The Router generates a new RSA/ECDSA key pair in memory and attempts to **CREATE** the Secret.
53
60
- Concurrency Handling: If the creation fails with 409 Conflict (implying another replica initialized it simultaneously), the Router discards its generated key and fetches the existing Secret created by the peer.
54
61
55
-
2.**Public Key Publication**: Once the Private Key is successfully loaded, the Router reconciles the picod-router-public-key ConfigMap. It ensures the Public Key in the ConfigMap matches the Private Key in memory.
62
+
2.**Public Key Publication**: Once the Private Key is successfully loaded, the Router reconciles the agentcube-bootstrap-identity ConfigMap. It ensures the Public Key in the ConfigMap matches the Private Key in memory.
56
63
57
64
#### 2. Provisioning Phase
58
65
59
66
- The **Router** sends a sandbox allocation request to the **WorkloadManager**. Crucially, this request **does not** contain key data.
60
-
- The **WorkloadManager** constructs the Pod specification. It defines an environment variable `PICOD_AUTH_PUBLIC_KEY` that sources its value from the `picod-router-public-key` ConfigMap (using `valueFrom: configMapKeyRef`).
61
-
-**PicoD**starts, reads the key from the **environment**, and initializes its JWT verifier.
67
+
- The **WorkloadManager** constructs the Pod specification. It defines an environment variable `PICOD_BOOTSTRAP_PUBLIC_KEY` that sources its value from the `agentcube-bootstrap-identity` ConfigMap. It also injects `PICOD_SESSION_ID` for defense-in-depth token validation.
68
+
-**PicoD**starts, reads the key from the **environment**, and waits for the `/init` handshake which establishes the per-session ECDSA keypair.
- **Purpose**: Stores the public key mounted into PicoD instances.
147
154
148
155
```yaml
149
156
apiVersion: v1
150
157
kind: ConfigMap
151
158
metadata:
152
-
name: picod-router-public-key
159
+
name: agentcube-bootstrap-identity
153
160
namespace: agentcube-system
154
161
data:
155
162
# Plain text Public Key (PEM format)
@@ -170,18 +177,20 @@ spec:
170
177
containers:
171
178
- name: picod
172
179
env:
173
-
- name: PICOD_AUTH_PUBLIC_KEY
180
+
- name: PICOD_BOOTSTRAP_PUBLIC_KEY
174
181
valueFrom:
175
182
configMapKeyRef:
176
-
name: picod-router-public-key
183
+
name: agentcube-bootstrap-identity
177
184
key: public.pem
185
+
- name: PICOD_SESSION_ID
186
+
value: "<dynamic-uuid-per-sandbox>"
178
187
```
179
188
180
189
### 3. PicoD Configuration
181
190
The existing CLI flags for authentication are deprecated.
182
191
183
-
* Environment Variable: picod requires `PICOD_AUTH_PUBLIC_KEY` to be set.
184
-
* Behavior: If the environment variable is present, `picod` initializes the Plain Auth provider. If missing, it fails to start (or falls back to legacy mode if we decide to keep it for a transition period).
192
+
* Environment Variable: picod requires `PICOD_BOOTSTRAP_PUBLIC_KEY` to be set. `PICOD_SESSION_ID` is also strongly recommended to prevent cross-sandbox token replays.
193
+
* Behavior: If the environment variable is present, `picod` initializes the Plain Auth provider. If missing, it fails to start.
185
194
186
195
### 4. JWT Token Spec
187
196
@@ -198,7 +207,7 @@ The Router signs tokens using the standard JWT (RFC 7519) format.
198
207
"iss": "agentcube-router", // Issuer: Fixed identifier for the Router
199
208
"iat": 1716239000, // Issued At: Unix timestamp
200
209
"exp": 1716242600, // Expiration: e.g., +1 hour
201
-
"sub": "client-session-id", // Subject: Identifies the client/session
210
+
"sub": "<dynamic-uuid-per-sandbox>", // Subject: Identifies the client/session
Copy file name to clipboardExpand all lines: docs/design/auth-proposal.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ Author: Mahil Patel
14
14
AgentCube currently has partial, ad-hoc authentication between its internal components but lacks a unified security model. The existing mechanisms are:
15
15
16
16
1.**Workload Manager Auth** (`pkg/workloadmanager/auth.go`): Optional Kubernetes TokenReview-based ServiceAccount token validation, gated behind `config.EnableAuth`, plus per-sandbox ownership checks using the extracted user identity (effectively relying on Kubernetes RBAC when using the user-scoped client).
17
-
2.**Router → PicoD Auth** (`PicoD-Plain-Authentication-Design`): A custom RSA key-pair scheme where the Router signs JWTs and PicoD verifies them using a public key exposed via the `PICOD_AUTH_PUBLIC_KEY` environment variable. The key pair (`private.pem`, `public.pem`) is stored in the `picod-router-identity` Secret, and the WorkloadManager reads this Secret to inject the public key into PicoD pods. This works for the Router→PicoD channel but leaves other internal channels unauthenticated.
17
+
2.**Router → PicoD Auth** (`PicoD-Plain-Authentication-Design`): A custom RSA/ECDSA key-pair scheme where the Router signs JWTs and PicoD verifies them using a public key exposed via the `PICOD_BOOTSTRAP_PUBLIC_KEY` environment variable (formerly `PICOD_AUTH_PUBLIC_KEY`). The key pair (`private.pem`, `public.pem`) is stored in the `agentcube-bootstrap-identity` Secret, and the WorkloadManager reads this Secret to inject the public key into PicoD pods. This works for the Router→PicoD channel but leaves other internal channels unauthenticated.
18
18
3.**Router → WorkloadManager**: Optional, one-sided authentication. `pkg/router/session_manager.go` can attach a `Authorization: Bearer <serviceaccount token>` header, and WorkloadManager can validate it when `--enable-auth` is enabled. This is not mutual workload identity or a zero-trust model, and when auth is disabled any pod on the cluster network can call the WorkloadManager API.
19
19
4.**External Clients → Router**: No authentication. The `handleInvoke` handler in `pkg/router/handlers.go` processes incoming requests without verifying the caller's identity.
0 commit comments