-
Notifications
You must be signed in to change notification settings - Fork 16
Redis config and ACL setup
This page is about an optional feature of the Redis cluster operator. It can be used to manage an ACL configuration for the cluster.
Version 6 of Redis added support for ACL rules that allows for better user mangement. The ACL rules are strucutred as a configuration that can be stored in either redis.conf or a separate dedicated configuration file.
The operator can manage a separate ACL config files stored as a configmap resource in K8s. The file from the configmap should be mounted as volume inside all pods. Upon change, the operator will trigger a volume sync (by writing an annotation on the pods with the hash of the new ACL config), then will load the new config files on all Redis nodes. On fail - if the config is correct but the load fails from other reasons (syc taking long etc) then the operator will continue to retry to load the latest ACL config with an exponential backoff. If the config is erroneus the operator will fail to apply it and will wait until the file is corrected.
Do not restart Redis instances if you have a malformed ACL config, the node will fail to start as the ACL is loaded at startup.
The setup is susceptible to security concerns regarding who can change the access rights of a user. The operator does not enforce any RBAC rules with regard to the configmaps, it is left as an option to the users to protect the access to the configmap accordingly.
The aclfile must not contain any other string other than the relevant ACL configuraiton.
The controller will write to a redis node annotations a hash of the currently loaded ACL config. The steps for computing the hash are:
- Use ACL GET to get the raw config
- Convert the result to an internal representation
- Convert the internal representation to string and compute the sha256 sum of the string
Converting to internal representation is necessary to avoid different hashes on functioanlly identical ACL files, where the hashes deffer because of a different ordering of the configs. The internal representation will have all users and all fields ordered alphabetically and all remove configurations (for passwords, commands etc.) placed to the front of the list.
To generate a password hash:
echo -n mypassword | sha256sum
As of now, changes to redis.conf file are not automatically managed by the operator, the pods need a rolling restart to propagate the latest version of the config.