Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets should be read-only by root #7554

Closed
aronchick opened this issue Apr 30, 2015 · 10 comments
Closed

Secrets should be read-only by root #7554

aronchick opened this issue Apr 30, 2015 · 10 comments
Labels
area/security lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@aronchick
Copy link
Contributor

Well designed applications run as non-root, so having secrets only readable by root would improve the levels of defense in depth.
@cjcullen cjcullen added priority/backlog Higher priority than priority/awaiting-more-evidence. team/cluster labels Apr 30, 2015
@erictune
Copy link
Member

Are you talking about the secrets files on the /tmpfs from the node's view? I agree those should be readable only by root.

Or are you talking about the mount of the secret volume seen inside the container? Those I don't think need to be readable by root-only by default. There is usually only one application inside the container, and it needs to run as a user that can access the secret, so it can use it.

@aronchick
Copy link
Contributor Author

It's the latter - I can see there being two types of secrets - one that needs accessing by the application running on the container, and one that may be useful in one-time setup. The one-time setup ones could be more sensitive and need hiding from non-root.

@erictune
Copy link
Member

erictune commented May 1, 2015

@pmorie you had mentioned settable secret file permissions. Anything to add to this conversation?

@pmorie
Copy link
Member

pmorie commented Jul 4, 2015

@erictune @aronchick I missed the tag into this issue. We've gone around about settable permissions for secrets -- perhaps this is another data point we can use to inform that discussion. @aronchick could you give an example of a secret that shouldn't be readable by non-root UIDs?

@pmorie pmorie mentioned this issue Jul 4, 2015
Closed
@aronchick
Copy link
Contributor Author

@pmorie Sure - let's say I wanted to do something that required root access to the box / elevated access to my database as the container started (e.g. run a migration, check a mount, etc). I would not want this readable by the account that runs the web server on that container, but I would want it to be available on the container when it starts.

@k8s-github-robot
Copy link

@aronchick There are no sig labels on this issue. Please add a sig label by:
(1) mentioning a sig: @kubernetes/sig-<team-name>-misc
(2) specifying the label manually: /sig <label>

Note: method (1) will trigger a notification to the team. You can find the team list here.

@k8s-github-robot k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label May 31, 2017
@0xmichalis
Copy link
Contributor

/sig node

@k8s-ci-robot k8s-ci-robot added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Jun 4, 2017
@k8s-github-robot k8s-github-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 4, 2017
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 26, 2017
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 25, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@aronchick @pmorie @0xmichalis @cjcullen @bgrant0607 @erictune @k8s-github-robot @k8s-ci-robot @fejta-bot