-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moves public daprd metadata server to new authorized port #7423
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although I appreciate that this is done the "right way" and requires mTLS, we should consider how the metadata API is likely being used, which is that apps may call it to get information on the sidecar, or possibly even external monitoring/cataloging services.
Adding the requirement of using mTLS, fetching certs from Sentry, in this case is IMHO very burdensome given the kind of consumers.
I would rather add a more simple IP-based allowlisting. Or just trust that users will not expose the port in the K8s service.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #7423 +/- ##
==========================================
- Coverage 62.13% 61.99% -0.14%
==========================================
Files 245 246 +1
Lines 22479 22563 +84
==========================================
+ Hits 13967 13988 +21
- Misses 7345 7406 +61
- Partials 1167 1169 +2 ☔ View full report in Codecov by Sentry. |
I agree with @ItalyPaleAle. At least, offer a way for people to keep the existing behavior. We should do that anyway because it is a breaking change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current behavior must be kept and the new behavior should be done via a config flag. Default must be current behavior, following the deprecation policy.
The project should always strive to do things the right way, especially so for security. I don't think we should follow the deprecation policy in this instance as this is an undocumented privacy vulnerability in multi tenant deployments. Applications that currently consume the metadata API can continue to do so via the localhost endpoints. Communication between Dapr hosts must always be mTLS by default in Kubernetes. Any system which is currently consuming this API should have enough knowledge of Dapr already to be able to request an identity certificate from sentry using the gRPC protos. We must have a mechanism to authorize this endpoint- IP allowlists are not appropriate in cloud native environments as IP addresses are ephemeral. |
I understand your rationale. On the other hand, an OSS project have to be careful on forcing a migration on a minor version upgrade. It can lead to the opposite result, where users stick to an older version of Dapr to plan ahead their migration in order to upgrade to a version that requires a significant change of their environment - there can be internal tools depending on this behavior that only the user knows. |
(Please also note that this metadata API is not enabled by default, so users must enable it explicitly) Before we make decisions here we should really inquire on how users are using this API. My feeling is that it used by external services for cataloging or other purposes, for whom requesting a certificate from Sentry would not be feasible and would make the API unusable. (Also, we do not have public-facing SDKs for Sentry) Agree IP allowlisting isn't great, but this leaves us with 2 options:
|
@ItalyPaleAle it is enabled by default in Kubernetes. |
Ok that's a different problem then. I thought the PR that implemented that made it optional |
a693558
to
cb0c7eb
Compare
Currently, daprd is exposing the public port which exposes the healthz and metadata endpoints. This is exposed publicly on the network. This server has no authentication and is serving requests in plaintext. The metadata endpoint returns information like actors, subscriptions, components etc. This represents a massive privacy exposure. This port must be disabled on any multi-tenant deployment of Dapr, however this is not documented anywhere and the daprd logs don't explain that this is happening either. Users are currently exposing this information without knowledge. This PR moves the public metadata endpoint to a new port, and adds authentication and authorization to the endpoint. If mTLS is enabled, the endpoint will serve using the same TLS as the internal API server. The server will only serve requests to SPIFFE peers are present in the `--dapr-metadata-authorized-ids` CLI flag. If mTLS is disabled, this flag is ignored. PR extends the mTLS Configuration API with a new `metadataAuthorizedIDs` fields which takes a slice of SPIFFE IDs. This slice is appened to the authorized list when consumed by daprd. When set on the global `dapr-system` configuration, the sidecar-injector sets this value on the sidecar container. This allows users to configure the authorized IDs globally, or on a per-pod basis. Signed-off-by: joshvanl <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
cb7fefe
to
df08cf7
Compare
This pull request has been automatically marked as stale because it has not had activity in the last 60 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Currently, daprd is exposing the public port which exposes the healthz and metadata endpoints. This is exposed publicly on the network. This server has no authentication and is serving requests in plaintext.
The metadata endpoint returns information like actors, subscriptions, components etc.
This represents a massive privacy exposure. This port must be disabled on any multi-tenant deployment of Dapr, however this is not documented anywhere and the daprd logs don't explain that this is happening either. Users are currently exposing this information without knowledge.
This PR moves the public metadata endpoint to a new port, and adds authentication and authorization to the endpoint. If mTLS is enabled, the endpoint will serve using the same TLS as the internal API server. The server will only serve requests to SPIFFE peers that present in the
--dapr-metadata-authorized-ids
CLI flag. If mTLS is disabled, this flag is ignored.PR extends the mTLS Configuration API with a new
metadataAuthorizedIDs
fields which takes a slice of SPIFFE IDs. This slice is appended to the authorized list when consumed by daprd. When set on the globaldapr-system
configuration, the sidecar-injector sets this value on the sidecar container. This allows users to configure the authorized IDs globally, or on a per-pod basis.Closes #7397