-
Notifications
You must be signed in to change notification settings - Fork 661
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install in an isolated namespace #166
Comments
I guess this just isn't the way to go about it. I am running the service in The user I have has the access above, but needs access to services/proxy in cluster role.
Any suggestion on cluster role bindings? |
Added 'services/proxy' to list of resources read-only user can access. |
Exactly my point also. Our users have only access to their own namespace(s) and cannot use kubeseal without the extra rolebinding in the kube-system namespace (or at least: the namespace where the controller is running). Can this issue be reopened to answer my questions? |
Yes |
@mdraijer just to make sure I understand the problem you're facing: You have the rights to install the sealed-secret-controller in kube-system or another namespace If yes, you have two options:
I'll improve the README and find a way to simplify all of this if possible, but in the meantime I hope this can unblock you: use offline certificates
At least one user has privileged accessAs long as you can provide that key to your users (and they can trust it's the right key), then they can generate sealed-secrets without any access to the cluster.
FWIW, I have exactly this situation at work: some of our clusters are configured in such a way and we share a certificate file with our team with a secure mechanism (in our case that's keybase team signed filesystem) In order to get the certificate you need to do this once from an account that has the rights:
or if you installed it in a dedicated namespace (possibly with a custom controller name, as happens when you use the helm chart):
You have access to logs
You don't have privileged access at hand and there are no strict network policiesAs long as you can run some code in the cluster, you can try to directly curl the service endpoint:
|
Food for thought: a variant on offline certificates is to add an Ingress to the namespace that runs the sealed-secrets controller, exposing the Rather than mess around with role bindings or distributing the certificate to our developers directly, we've simply documented the URL for the certificate for each cluster. |
@ceralena that's a reasonable approach. I'm struggling to figure out what is the best option that would work out of the box. Ingresses unfortunately don't seem to fit the bill. It's hard to provide instructions for setting up TLS ingress that would work out of the box everywhere (people have different ingress controllers, different load balancers). Perhaps there is just no one size fits all solution. a) a person who can talk to the cluster with b) a person who cannot talk to the cluster (e.g. all interactions with the cluster are done by a GitOps style interaction mediated by a CI tool which has actual access to the cluster). Both scenarios have to be secure, i.e. it should be very hard for an attacker to trick the user into encrypting the secret belonging to the attacker. It's easy for the sealed secret controller to post the cert somewhere; what's harder is for the user to establish that it's the right certificate to use. |
Thanks @mkmik, that helps. We will distribute the public key to the users. |
Related to the original question in this issue: install in an isolated namespace, i.e. some other namespace than kube-system: |
@mdraijer Hmm, it should work. Could you show me the exact commands you issued to install it with kubectl in another namespace? |
I did not use kubectl, because that would mean editing the yaml first (hard coded namespace).
Thought it could be the resource quota, they were initially exactly the resources requested by the pod. But I made that 10 times as high now:
|
I'm not familiar with the helm chart and it's been released independently so I'd prefer to not add a variable here. Kubectl has a builtin feature that allows you to apply config overlays called
(you can clean up with It would really help if you could try this (possibly after making sure there is no other sealed secret instance left over) |
For now we have settled with an installation in kube-system, but thanks for your help. |
@mdraijer thanks anyway; if you'll have some extra time, I'd really appreciate if you manage to reproduce the issue without the helm chart; I'd love to know if there is a bug. |
I'll keep this issue open because I think the certificate fetching issue can be improved with some tweaks to RBAC |
This allows kubeseal to fetch the certificate public key (and perform other actions such as /verify and /rotate endpoints) even if the caller doesn't have otherwise the rights to access the kube-system namespace (or any other namespace where the sealed-secrets controller might have been deployed), as it often happens that users are not granted such broad permissions on production clusters. We historically suggested users to just distribute the certificate out of bound and use the `--cert` flag. However, with the advent of master key rotation, this is becoming increasingly more cumbersome, especially since it's critical that users end up using the right certificate (i.e. the certificate has to be authenticated). Master key rotation also requires users to periodically rotate the secrets, which requires access to the /rotate endpoint. This change includes a fine-grained RBAC rule that allows access to the sealed-secrets controller HTTP API to any authenticated user in the cluster. Users are still free to disable this feature by applying an override during deployment, but our default RBAC config should include it. The controller currently exposes the following endpoints: - `/healthz' - `/v1/verify` - `/v1/rotate` - `/v1/cert.pem` The controller already must not expose any secrets via the HTTP endpoint, since while RBAC would prevent end-users to access the service via the proxy, nothing prevents any unprivileged workload in the cluster unless admins have explicitly configured a strict network policy rule set. Closes #166
This allows kubeseal to fetch the certificate public key (and perform other actions such as /verify and /rotate endpoints) even if the caller doesn't have otherwise the rights to access the kube-system namespace (or any other namespace where the sealed-secrets controller might have been deployed), as it often happens that users are not granted such broad permissions on production clusters. We historically suggested users to just distribute the certificate out of bound and use the `--cert` flag. However, with the advent of master key rotation, this is becoming increasingly more cumbersome, especially since it's critical that users end up using the right certificate (i.e. the certificate has to be authenticated). Master key rotation also requires users to periodically rotate the secrets, which requires access to the /rotate endpoint. This change includes a fine-grained RBAC rule that allows access to the sealed-secrets controller HTTP API to any authenticated user in the cluster. Users are still free to disable this feature by applying an override during deployment, but our default RBAC config should include it. The controller currently exposes the following endpoints: - `/healthz' - `/v1/verify` - `/v1/rotate` - `/v1/cert.pem` The controller already must not expose any secrets via the HTTP endpoint, since while RBAC would prevent end-users to access the service via the proxy, nothing prevents any unprivileged workload in the cluster unless admins have explicitly configured a strict network policy rule set. Closes #166
208: Allow access to sealed secret services/proxy to any authenticated user r=mkmik a=mkmik This allows kubeseal to fetch the certificate public key (and perform other actions such as /verify and /rotate endpoints) even if the caller doesn't have otherwise the rights to access the kube-system namespace (or any other namespace where the sealed-secrets controller might have been deployed), as it often happens that users are not granted such broad permissions on production clusters. We historically suggested users to just distribute the certificate out of bound and use the `--cert` flag. However, with the advent of master key rotation, this is becoming increasingly more cumbersome, especially since it's critical that users end up using the right certificate (i.e. the certificate has to be authenticated). Master key rotation also requires users to periodically rotate the secrets, which requires access to the /rotate endpoint. This change includes a fine-grained RBAC rule that allows access to the sealed-secrets controller HTTP API to any authenticated user in the cluster. Users are still free to disable this feature by applying an override during deployment, but our default RBAC config should include it. The controller currently exposes the following endpoints: - `/healthz' - `/v1/verify` - `/v1/rotate` - `/v1/cert.pem` The controller already must not expose any secrets via the HTTP endpoint, since while RBAC would prevent end-users to access the service via the proxy, nothing prevents any unprivileged workload in the cluster unless admins have explicitly configured a strict network policy rule set. Closes #166 Rel #137 Co-authored-by: Marko Mikulicic <mkm@bitnami.com>
Since #208 the sealed secret controller is accessible even if users have no access to the namespace it's deployed into, I think this issue can be considered closed. (Keep in mind that until we directly release helm charts from this project, there is no guarantee that config changes as this one will be reflected soon in the helm chart. Please consider using kustomize) |
I'm attempting to install sealed secrets helm chart into a namespace where my user is "admin" at the role level not the cluster level. I was hoping to install sealed secrets in this namespace to isolate the users from needing access to other namespaces/secrets.
Am I being a numbskull here?
The text was updated successfully, but these errors were encountered: