Skip to content

Restrict access to K8s secret token #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 6, 2021
Merged

Restrict access to K8s secret token #103

merged 1 commit into from
Dec 6, 2021

Conversation

@mjura
Copy link
Collaborator

@mjura mjura commented Nov 26, 2021

The most of the containerized workloads do not need to interact with the Kubernetes API server and
they don't need to read the token that is associated with the ServiceAccount used to create the Pod.

This path can be blocked /var/run/secrets/kubernetes.io

@mjura mjura mentioned this pull request Nov 26, 2021
Closed
@mjura mjura requested a review from vadorovsky November 26, 2021 12:16
@flavio
Copy link
Collaborator

flavio commented Nov 30, 2021

@mjura do we really need to add the whole lockc.toml to the helm chart too? I think the container image should come with the default lockc configuration we create.

It's fine to allow the user to overload the configuration via helm, but I wouldn't use that a a mechanism to get our default config into kubernetes.

vadorovsky
vadorovsky requested changes Nov 30, 2021
View reviewed changes
Copy link
Member

@vadorovsky vadorovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add this dir to lockc/src/settings.rs as well. These are default values used in case there is no configuration found.

@vadorovsky
Copy link
Member

vadorovsky commented Nov 30, 2021

@flavio I actually like the idea of adding the whole config to the helm chart. It gives people a reference and lets them adjust the configuration by editing it.

What worries me a bit is that we have multiple files where we need to put new configuration options, which starts becoming quite a hassle. I have no clear idea how to solve that yet, but it would be nice to have some one file for defining options and then generate all the others (.rs, /etc and configmap) based on it. Of course I wouldn't do that in this PR, rather as an follow up issue.

@vadorovsky
Copy link
Member

vadorovsky commented Nov 30, 2021

Also, there is a typo in the commit message and PR name - s/secter/secret/

@flavio
Copy link
Collaborator

flavio commented Nov 30, 2021

What worries me a bit is that we have multiple files where we need to put new configuration options, which starts becoming quite a hassle.

That's exactly my main concern. Just to reiterate over what I've already said, I would leave the default configuration inside of the lockc repo on GitHub, have that tagged and automatically added to the container image at build time.

As for the users, we can address your concern ("how do they find a sample of the configuration file?") by adding a simple comment inside of the helm chart. The comment can point to the configuration file on the GitHub repo

@mjura mjura changed the title Restrict access to K8s secter token Restrict access to K8s secret token Dec 3, 2021
@mjura
Copy link
Collaborator Author

mjura commented Dec 3, 2021

I have updated also baseline restricted paths

@mjura mjura requested review from flavio and vadorovsky December 3, 2021 15:52
vadorovsky
vadorovsky approved these changes Dec 6, 2021
View reviewed changes
Copy link
Member

@vadorovsky vadorovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with accepting this PR as it is now. I would address the idea of having a config in one place as a separate, follow up change. I hope it's fine for you @flavio

@vadorovsky
Copy link
Member

vadorovsky commented Dec 6, 2021

Linter is complaining, but it's not related to changes in this PR, let me fix it with a new PR and let's keep this one on hold.

@mjura
Restrict access to K8s secret token
4e319ef 
The most of the containerized workloads do not need to interact with the Kubernetes API server and
they don't need to read the token that is associated with the ServiceAccount used to create the Pod.

This path can be blocked /var/run/secrets/kubernetes.io

Signed-off-by: Michal Jura <[email protected]>
@vadorovsky vadorovsky merged commit 63e1c63 into lockc-project:main Dec 6, 2021
@vadorovsky
Copy link
Member

vadorovsky commented Dec 6, 2021

@flavio we are going to remove a duplicated config from helm chart (and instead use the .toml file from the container image) as a follow up change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vadorovsky vadorovsky vadorovsky approved these changes

@flavio flavio Awaiting requested review from flavio

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mjura @flavio @vadorovsky