Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secret isn't blocked for non-admin user but secrets is #64

Closed
1 task
estein9825 opened this issue May 31, 2023 · 3 comments · Fixed by #73
Closed
1 task

secret isn't blocked for non-admin user but secrets is #64

estein9825 opened this issue May 31, 2023 · 3 comments · Fixed by #73
Assignees
@nirav-rafay
Labels
bug Something isn't working triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@estein9825
Copy link

estein9825 commented May 31, 2023
edited
Loading

Expected vs actual behavior

If you run kubectl get secret for a read-only user then it works, whereas kubectl get secrets doesn't.

Steps to reproduce the bug

  1. Grant readonly rights to user
  2. Run kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | uniq command for authorized namespace
  3. Secrets should return
  4. Run kubectl get secret <secret_name> and it works

Are you using the latest version of the project?

Using version 2.0

What is your environment setup? Please tell us your cloud provider, operating system, and include the output of kubectl version --output=yaml and helm version. Any other information that you have, eg. logs and custom values, is highly appreciated!

Kubernetes 1.24

(optional) If you have ideas on why the bug happens or how it can be solved, please provide it here

The guard against secrets should be a wildcard so that it can protect against secret and sec

  • [X ] I've described the bug, included steps to reproduce it, and included my environment setup with all customizations.
  • I'm using the latest version of the project.
@estein9825 estein9825 added bug Something isn't working new Needs triage labels May 31, 2023
@akshay196 akshay196 added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed new Needs triage labels Jun 1, 2023
@akshay196
Copy link
Member

@estein9825 Are you getting any error for kubectl get secrets? If yes, please paste it here.

@estein9825
Copy link
Author

estein9825 commented Jun 2, 2023
edited
Loading

Yes, get secrets (with an s) is blocked with an unauthorized error as desired.

@nirav-rafay nirav-rafay self-assigned this Jul 27, 2023
@akshay196 akshay196 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 27, 2023
@nirav-rafay
Copy link
Contributor

so with paralus, any user with read only permission is not allowed to view secrets.

In this case kubectl get secrets works fine however read only user is able to view secret using kubectl get secret <name> thus causing an escalation privilege or unauthorised access to a resource which ideally should be blocked for read only users.

@nirav-rafay nirav-rafay linked a pull request Jul 28, 2023 that will close this issue
fix for readonly users should not access secrets #73
Merged
5 tasks
@nirav-rafay nirav-rafay mentioned this issue Jul 28, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nirav-rafay nirav-rafay

Labels
bug Something isn't working triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix for readonly users should not access secrets paralus/relay
3 participants
@akshay196 @estein9825 @nirav-rafay