Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kustomize Exec Secret Generator #2382

Closed
4 tasks
shekhar-rajak opened this issue Jan 30, 2021 · 6 comments
Closed
4 tasks

Kustomize Exec Secret Generator #2382

shekhar-rajak opened this issue Jan 30, 2021 · 6 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/cli Categorizes an issue or PR as relevant to SIG CLI.

Comments

@shekhar-rajak
Copy link
Member

shekhar-rajak commented Jan 30, 2021

Enhancement Description

  • One-line enhancement description (can be used as a release note): Kustomize Exec Secret Generator
  • Kubernetes Enhancement Proposal:

The ability to generate Secrets using `exec` was removed in kustomize v2 because of security concerns
about users kustomizing malicious `kustomization.yaml`s and thereby providing a path for `kustomization.yaml`'s
publishers to execute arbitrary commands on the machines of any user who applies the `kustomization.yaml`.

Example goal to enable:

- Alice wants to develop an Application requiring a shared Secret, and to deploy it on Kubernetes using GitOps
- Alice wants her GitOps deployment mechanism to pull the Secrets that it deploys from an
  remote source without writing the Secrets as files to local disk.
- Alice's organization configures the gitops deployment container to run Kustomize in the cluster
  and be capable of pulling Secrets from remote locations
- Alice writes her kustomization.yaml to use the generation options configured by her organization.

Example exploit to avoid:

- Alice wants to run a whitebox mysql instance on a test cluster
- Chuck publishes a whitebox mysql `kustomization.yaml` on GitHub, with a SecretGenerator
  that will read Alice's ~/.kube/config and send it to Chuck's server by executing `sh`
  will run a script to generate some Secret
- Alice runs `kubectl apply -k https://github.com/chuck/mysql` and has the credentials
  of all of her Kubernetes clusters sent to Chuck when the Secret is generated.

See [kubernetes-sigs/kustomize#692](https://github.com/kubernetes-sigs/kustomize/issues/692) for more details.


  • Discussion Link:
  • Primary contact (assignee): @pwittrock @anguslees @Liujingfang1 @sethpollack
  • Responsible SIGs: sig-cli
  • Enhancement target (which target equals to which milestone):
    • Alpha release target (x.y):
    • Beta release target (x.y):
    • Stable release target (x.y):
  • Alpha
    • KEP (k/enhancements) update PR(s):
    • Code (k/k) update PR(s):
    • Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jan 30, 2021
@shekhar-rajak
Copy link
Member Author

shekhar-rajak commented Jan 30, 2021

#2378 created for migrating the old keps into new template.

@LappleApple
Copy link
Contributor

LappleApple commented Apr 8, 2021

/sig cli

@k8s-ci-robot k8s-ci-robot added sig/cli Categorizes an issue or PR as relevant to SIG CLI. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 8, 2021
@fejta-bot
Copy link

fejta-bot commented Jul 7, 2021

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 7, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Aug 6, 2021

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 6, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Sep 5, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Sep 5, 2021

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/cli Categorizes an issue or PR as relevant to SIG CLI.
Projects
None yet
Development

No branches or pull requests

5 participants