Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged by Bors] - Lock down secret permissions, store secrets on tmpfs #37

Closed
wants to merge 6 commits into from
Closed

[Merged by Bors] - Lock down secret permissions, store secrets on tmpfs #37

wants to merge 6 commits into from

Conversation

nightkr
Copy link
Member

@nightkr nightkr commented Jan 31, 2022
edited
Loading

Description

This should help reduce outside access, and start making an effort to avoid storing sensitive material on disk at all where viable.

Fixes #15, fixes #10

Caveats

  • Existing Pods mounting secret volumes will get stuck Terminating when deleted, until the Kubelet is restarted, or the folder is deleted manually (see Kubelet logs for more details)
    • This is a one-time migration due to how this PR changes volume cleanup
  • You may need to set Pod.spec.securityContext.fsGroup to give your pod permission to access the secrets, depending on how you drop permissions

Review Checklist

  • Code contains useful comments
  • (Integration-)Test cases added (or not applicable)
  • Documentation added (or not applicable)
  • Changelog updated (or not applicable)
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

@nightkr nightkr requested a review from a team January 31, 2022 16:15
@nightkr nightkr self-assigned this Jan 31, 2022
@nightkr
Copy link
Member Author

nightkr commented Feb 3, 2022

Hm, two remaining issues here:

  1. This requires /var/lib/kubelet/pods to be mounted as shared, for k3d you can do this by explicitly mounting it as a shared volume: k3d cluster create --agents 3 -v /tmp/k3d/kubelet/pods:/var/lib/kubelet/pods:shared
  2. For some reason this seems to break graceful operator restart

@nightkr
Copy link
Member Author

nightkr commented Feb 3, 2022

Looks like the shared issue is somewhat K3d-specific, it works fine with Kind.

soenkeliebau
soenkeliebau approved these changes Feb 3, 2022
View reviewed changes
Copy link
Member

@soenkeliebau soenkeliebau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm - ran it on gke and kind, both worked fine.
Left just one question.

One thing I did notice, there is no changelog yet, this should propably be mentioned when we first release this?

src/main.rs
// User: root/secret-operator
// Group: Controlled by Pod.securityContext.fsGroup, the actual application
// (when running as unprivileged user)
tokio::fs::set_permissions(target_path, Permissions::from_mode(0o750))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this still allow the application to create derivatives like keystores etc. on the mount? Currently this is done in an init container running as root I believe, so probably should work?
Edit:
I tested it on kind and gke and it worked - actually even the main user was able to create files, as the init container chowns the directory, but that is something to be solved in the product operator not here I believe.

Copy link
Member Author

@nightkr nightkr Feb 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having thought about it a bit further, ideally I'd like to ban that altogether (not sure how..) and have the application store any extra files on a separate emptyDir mount.

@nightkr
Copy link
Member Author

nightkr commented Feb 4, 2022

As for the changelog, this PR was originally intended to be part of the 0.1 release. Now that it's not I'll add a note about it.

@nightkr
Copy link
Member Author

nightkr commented Feb 7, 2022

Graceful operator restart is broken on main too, so that seems to be unrelated..

@nightkr
Copy link
Member Author

nightkr commented Feb 7, 2022

bors r+

bors bot pushed a commit that referenced this pull request Feb 7, 2022
@nightkr @stackable-bot
Lock down secret permissions, store secrets on tmpfs (#37)
7ce9ff9 
## Description

This should help reduce outside access, and start making an effort to avoid storing sensitive material on disk at all where viable.

Fixes #15, fixes #10

### Caveats

- Existing `Pod`s mounting secret volumes will get stuck Terminating when deleted, until the Kubelet is restarted, or the folder is deleted manually (see Kubelet logs for more details)
  - This is a one-time migration due to how this PR changes volume cleanup
- You may need to set `Pod.spec.securityContext.fsGroup` to give your pod permission to access the secrets, depending on how you drop permissions



Co-authored-by: Stacky McStackface <stackable-bot@users.noreply.github.com>
@bors
Copy link
Contributor

bors bot commented Feb 7, 2022

Pull request successfully merged into main.

Build succeeded:

@bors bors bot changed the title Lock down secret permissions, store secrets on tmpfs [Merged by Bors] - Lock down secret permissions, store secrets on tmpfs Feb 7, 2022
@bors bors bot closed this Feb 7, 2022
@bors bors bot deleted the feature/lockdown branch February 7, 2022 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soenkeliebau soenkeliebau soenkeliebau approved these changes

Assignees

@nightkr nightkr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Store secret files on tmpfs Manage permissions for created secret files
3 participants
@nightkr @soenkeliebau @stackable-bot