Comments (9)
gnealhou
commented on May 25, 2024
1
Much better. The token is out of multiple kubernetes objects (that lots of
people could see) and hidden from a casual glance if someone gets on the
box. Assuming we apply appropriate policies to the kube-mgmt container (no
network access, no exec access), it's reasonably secure.
Gary
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
…On Wed, Dec 19, 2018 at 3:28 AM Ashutosh Narkar ***@***.***> wrote:
With the below config, the OPA authentication token will not be seen on
the command line and the deployment but will be seen on entering the
kube-mgmt container.
1. Create a secret.
kubectl create secret generic kube-token --from-literal=token='kube-mgmt'
kc describe secret kube-token
Name: kube-token
Namespace: opa
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
token: 9 bytes
1. Use secret as environment variable in kube-mgmt container.
- name: kube-mgmt
image: openpolicyagent/kube-mgmt:0.8-dev
args:
- "--opa-auth-token=$(SECRET_TOKEN)"
env:
- name: SECRET_TOKEN
valueFrom:
secretKeyRef:
name: kube-token
key: token
1. Check pod
kc get pods
NAME READY STATUS RESTARTS AGE
opa-55bd755cd7-2rdl2 2/2 Running 0 5m
kc exec -it opa-55bd755cd7-2rdl2 -c kube-mgmt /bin/sh
/ # ps fax
PID USER TIME COMMAND
1 root 0:00 /kube-mgmt --opa-auth-token=kube-mgmt
11 root 0:00 /bin/sh
18 root 0:00 ps fax
@gnealhou <https://github.com/gnealhou> What do you think ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AYFdd2JoKyNE8UdLq9UGIRoUbjqjf-Vcks5u6ga2gaJpZM4ZHGPC>
.
from kube-mgmt.
tsandall
commented on May 25, 2024
It may be possible to refer to an environment variable in the command line arguments and then load the secret that way. I'll try this out and reply here. If that doesn't work, perhaps we ought to let users specify the token via environment variables. That seems like the simplest approach for now.
RE: mutual TLS, OPA does not currently support that in the HTTP server. We have an open issue for this open-policy-agent/opa#1040.
from kube-mgmt.
gnealhou
commented on May 25, 2024
Either would work -- storing the token in an environment variable means the Kubernetes deployment can keep it in a Secret. If someone can get on the pod to view the environment, they can probably get the secret if it's in a file, too.
from kube-mgmt.
ashutosh-narkar
commented on May 25, 2024
I am going to try to use the secret in an environment variable and use that env variable in the command line. Will update here. But as @gnealhou mentioned the secret will be visible on entering the kube-mgmt pod.
from kube-mgmt.
ashutosh-narkar
commented on May 25, 2024
With the below config, the OPA authentication token will not be seen on the command line and the deployment but will be seen on entering the kube-mgmt container.
- Create a secret.
kubectl create secret generic kube-token --from-literal=token='kube-mgmt'kc describe secret kube-token
Name: kube-token
Namespace: opa
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
token: 9 bytes- Use secret as environment variable in
kube-mgmtcontainer.
- name: kube-mgmt
image: openpolicyagent/kube-mgmt:0.8-dev
args:
- "--opa-auth-token=$(SECRET_TOKEN)"
env:
- name: SECRET_TOKEN
valueFrom:
secretKeyRef:
name: kube-token
key: token- Check pod
kc get pods
NAME READY STATUS RESTARTS AGE
opa-55bd755cd7-2rdl2 2/2 Running 0 5m
kc exec -it opa-55bd755cd7-2rdl2 -c kube-mgmt /bin/sh
/ # ps fax
PID USER TIME COMMAND
1 root 0:00 /kube-mgmt --opa-auth-token=kube-mgmt
11 root 0:00 /bin/sh
18 root 0:00 ps fax@gnealhou What do you think ?
from kube-mgmt.
ashutosh-narkar
commented on May 25, 2024
Closing this as the auth token is reasonable secure and no longer listed on the command line.
from kube-mgmt.
kfox1111
commented on May 25, 2024
Its more secure, but could still leak out in unexpected ways. For example, something from the host that is looking at what processes are running, or logs that contain similar info. I'd much prefer if there was a way to set it by environment variable so it never shows up on a command line.
Can we reopen this issue please?
from kube-mgmt.
kfox1111
commented on May 25, 2024
reading it out of a file would also be very useful.
from kube-mgmt.
ashutosh-narkar
commented on May 25, 2024
@kfox1111 someone with access to the container can still see the token, right ?
from kube-mgmt.
Related Issues (20)
- Alpine Base image HOT 3
- Bad indents: can't specify resources for mgmt HOT 1
- Helm chart does not support Kubernetes v1.25 PodDisruptionBudget HOT 1
- helm: openpolicyagent/opa image is outdated and has a critical vulnerability
- Upgrading the Helm chart on Kubernetes v1.25 fails with podDisruptionsBudget enabled
- kube-mgmt doesn't reload configmaps if opa container restarts HOT 6
- CVE reported on kube-mgmt v8.0.1 - libcrypto1.1 HOT 1
- Breaking issue when running with more than 1 replica HOT 8
- upgrading from 8.0.2 to 8.1.0 breaks namespaces sync HOT 10
- Failed calling webhook "webhook.openpolicyagent.org" error HOT 5
- CVE reported for gopkg.in/yaml.v3 HOT 3
- Kube mgmt fails after upgrade - {"code":"undefined_document","message":"document missing: data.system.main"} HOT 2
- kube-mgmt does not retry adding policies to OPA HOT 1
- When OPA container restarted kube-mgmt is not re-syncing the policies HOT 2
- opa-kube-mgmt Helm Chart config can't use existing Cert-Manager Issuer or an existing Secret created from Cert-Manager HOT 4
- CVE Vulnerabilities HOT 1
- Add startup probe to kube-mgmt container HOT 12
- Add liveness probe to kube-mgmt container HOT 5
- Do not use ClusterRole and ClusterRoleBinding when .Values.mgmt.namespaces list is empty
- Pre populate data in opa container on startup. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-mgmt.