Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Ensure that user cannot override reserved labels #7222

Closed
wants to merge 2 commits into from
Closed

fix: Ensure that user cannot override reserved labels #7222

wants to merge 2 commits into from

Conversation

simster7
Copy link
Member

Fixes #7215, which could be a potential security vulnerability with users overriding labels set by Argo.

Signed-off-by: Simon Behar simbeh7@gmail.com

Don't bother creating a PR until you've done this:

  • Run make pre-commit -B to fix codegen, lint, and commit message problems.

Create your PR as a draft.

  • Your PR needs to pass the required checks before it can be approved. If the check is not required (e.g. E2E tests) it
    does not need to pass.
  • Once required tests have passed, you can make it "Ready for review".
  • Say how how you tested your changes. If you changed the UI, attach screenshots.

Tips:

  • If changes were requested, and you've made them, then dismiss the review to get it looked at again.
  • Add you organization to USERS.md if you like.
  • You can ask for help!

@simster7
fix: Ensure that user cannot override reserved labels
279e43d 
Signed-off-by: Simon Behar <simbeh7@gmail.com>
@simster7
fix: minor
0dd86ef 
Signed-off-by: Simon Behar <simbeh7@gmail.com>
simster7
simster7 commented Nov 15, 2021
View reviewed changes
util/cmd/cmd.go
Comment on lines +92 to +95
if _, reserved := common.ReservedWorkflowLabelKeys[labelSpec[0]]; reserved {
log.Warnf("Ignoring label with key '%s' as it is reserved", labelSpec[0])
continue
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not super happy with this solution as it only checks CLI submitted labels. However, checking at the WF validation stage is problematic because legitimate reserved labels might be set by Argo sometime before the validation stage, requiring some refactor to correctly validate at that stage.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes a CLI-only check would indeed be insufficient in many ways. A validation stage check or an informer change check would be most appropriate, but could also be worked around by a user with sufficient privileges.

Therefore, I don't think this approach is doable or that the issue itself is even solveable in k8s. SAs and other identity mechanisms within k8s should be used for this, as those are properly supported authN in k8s.

@stale
Copy link

stale bot commented Jan 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jan 16, 2022
@terrytangyuan
Copy link
Member

@simster7 Still working on this?

@stale stale bot closed this Feb 5, 2022
@jburke-godaddy
Copy link

@simster7 Any chance this is going to re-open?

@tooptoop4
Copy link
Contributor

bump

@agilgur5 agilgur5 added area/cli The `argo` CLI type/security Security related labels May 23, 2024
agilgur5
agilgur5 reviewed May 23, 2024
View reviewed changes
Copy link
Contributor

@agilgur5 agilgur5 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was linked in #13079, but I think this approach is problematic and the issue itself is unsolvable. Within k8s, any user with appropriate privileges can edit labels.
Argo can do a bunch of workarounds (as mentioned below) to try to prevent this, but those are workarounds at best and not solutions, and should not be relied on for authN purposes. In fact, I would say that any attempt at making this non-overriddeable would give a user a false sense of security and we should not give that intentionally. Trying to make this secure would create various vulnerabilities as well, due to breaking k8s's RBAC model.

As such, I'm going to mark this and the issue as won't fix.

k8s's own RBAC should be used for authN and authZ, which is what Argo's SSO RBAC feature uses. For more fine-grained RBAC, see #6490

util/cmd/cmd.go
Comment on lines +92 to +95
if _, reserved := common.ReservedWorkflowLabelKeys[labelSpec[0]]; reserved {
log.Warnf("Ignoring label with key '%s' as it is reserved", labelSpec[0])
continue
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes a CLI-only check would indeed be insufficient in many ways. A validation stage check or an informer change check would be most appropriate, but could also be worked around by a user with sufficient privileges.

Therefore, I don't think this approach is doable or that the issue itself is even solveable in k8s. SAs and other identity mechanisms within k8s should be used for this, as those are properly supported authN in k8s.

@agilgur5 agilgur5 added solution/invalid This is incorrect. Also can be used for spam area/sso-rbac labels May 23, 2024
@agilgur5 agilgur5 mentioned this pull request May 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agilgur5 agilgur5 agilgur5 left review comments

Assignees
No one assigned
Labels
area/cli The `argo` CLI area/sso-rbac solution/invalid This is incorrect. Also can be used for spam type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prevent users from overriding automatically set labels
5 participants
@simster7 @terrytangyuan @jburke-godaddy @tooptoop4 @agilgur5