docs(security): RFC — per-agent remote-signer keystore isolation (follow-up to #570)#571
Closed
bussyjd wants to merge 1 commit into
Closed
docs(security): RFC — per-agent remote-signer keystore isolation (follow-up to #570)#571bussyjd wants to merge 1 commit into
bussyjd wants to merge 1 commit into
Conversation
Follow-up to PR #570 (controller Secret RBAC scoping), which scopes the controller's keystore access by name but cannot isolate one agent's keystore from another's: all agents share the Secret name remote-signer-keystore, and a name-scoped ClusterRole matches that name in any namespace. Captures the verified custody flow (controller mints keys in-process via openclaw.GenerateKeystoreInMemory; standing cluster-wide GET on every agent's keystore + password), the threat model, four options (rejecting the "per-namespace Role for the controller SA" approach as isolation theater), and recommends Option B: move keystore minting into the agent pod so the controller leaves the signer-key custody path entirely. No controller code yet -- gated on open questions about remote-signer self-mint capability and the address-reporting channel. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
5 tasks
Collaborator
Author
|
Superseded by #573 — the per-agent keystore isolation design now lives as a diagram-rich tracking issue (decoupled from any code branch) so it can be discussed and scheduled independently. The immediate RBAC hardening remains in #570. Branch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Design RFC (no controller code yet) for the isolation follow-up that #570 explicitly defers. #570 scopes the controller's Secret access to three names, but a name-scoped ClusterRole still matches
remote-signer-keystorein any namespace — so the controller can read every agent's keystore + password. This RFC captures the verified custody flow and a recommended path out.Full doc:
plans/per-agent-keystore-isolation.mdVerified custody flow (code-level)
openclaw.GenerateKeystoreInMemory()(internal/openclaw/wallet.go:136).remote-signer:v0.3.0only consumes a mounted keystore; no evidence it self-generates.GETon the Secret returns the key + password too, so the standing capability is the real exposure.Two sub-risks
GETs every agent's keystore → drains every agent wallet.Options (full tradeoffs in the doc)
Recommendation
Option B, phased: in-pod keystore generation → namespaced Role for the agent SA + address-via-
Agent.status→ dropremote-signer-keystorefrom the controller ClusterRole (+ guard test).Open questions (gate Phase 1)
remote-signer:v0.3.0self-generate a keystore on first boot (empty keystore dir)? If not → init-container mint tool.Agent.status.walletAddressthe right address channel, with the agent SA granted namespacedpatchonagents/status?🤖 Generated with Claude Code