You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The latest version of this repository introduced a new component, the “syncer.” After the injector has done the initial patch, it works with the syncer to re-patch annotated k8s secrets when required.
Problem
When the syncer was added, the injector was re-configured to only act on Kubernetes secret CREATE not UPDATE, as it did previously. This was to avoid a “double-update” when the syncer runs. However, it resulted in an integration bug whereby updating a Kubernetes secret with an unannotated input drops the annotations and does not get patched then or subsequently.
Solution
The injector and syncer will share an “exemption” token. When the syncer updates a secret, it will use the exemption token to tell the injector that it should not operate on this secret because the syncer already has.
Design
Both the injector and the syncer will be updated to create/overwrite and read the exemption token from a Kubernetes secret that both components have access to.
Both charts will need a mechanism for creating and specifying overwrite behavior on/for the exemption token. However, a non-default overwrite setting in the chart values should be sufficient as overwrite is not frequently or generally useful.
The secret itself will be a base64 encoded UUID. However, any base64 encoded string that is 40 characters or more in length will be considered valid.
Implementation
Chart updates:
o Both components need an RBAC role to share the exemption token.
o A service account for the injector so that it can manipulate the exemption token.
o Add “UPDATE” back to the injector webhook YAML.
o A new annotation to carry the exemption token.
Code changes
o Add code to the syncer that adds the exemption token to the Kubernetes secret that it is patching, using the new annotation
o Enable the injector and syncer to create, read, and, when specified, overwrite the exemption token Kubernetes secret.
o Enable the injector to check for the exemption token and complete without patching when it is present. It matches the value in the Kubernetes secret that the injector and syncer share.
Considerations
The injector will now have a service account, authenticate itself to the cluster, and have a role that reads a secret. In the current version, the injector has no rights to the cluster, nor is it aware of whether it is a part of one.
A malicious actor can theoretically steal the exemption token; however, any practical attack would require more access than the token would grant them.
TL;DR
A shared “exemption token” will be added to the injector and syncer such that the syncer adds the exemption token and the injector does not act on UPDATE the Kubernetes secret when the exemption token is present matching. A malicious actor would need more access to steal the exemption token than it is worth.
sheldonhull
changed the title
Implement an UPDATE "exemption" mechanism in the injector for the syncer
Implement an UPDATE "exemption" mechanism in the injector for the syncer AB#449116
Jul 27, 2022
Background
The latest version of this repository introduced a new component, the “syncer.” After the injector has done the initial patch, it works with the syncer to re-patch annotated k8s secrets when required.
Problem
When the syncer was added, the injector was re-configured to only act on Kubernetes secret CREATE not UPDATE, as it did previously. This was to avoid a “double-update” when the syncer runs. However, it resulted in an integration bug whereby updating a Kubernetes secret with an unannotated input drops the annotations and does not get patched then or subsequently.
Solution
The injector and syncer will share an “exemption” token. When the syncer updates a secret, it will use the exemption token to tell the injector that it should not operate on this secret because the syncer already has.
Design
Both the injector and the syncer will be updated to create/overwrite and read the exemption token from a Kubernetes secret that both components have access to.
Both charts will need a mechanism for creating and specifying overwrite behavior on/for the exemption token. However, a non-default overwrite setting in the chart values should be sufficient as overwrite is not frequently or generally useful.
The secret itself will be a base64 encoded UUID. However, any base64 encoded string that is 40 characters or more in length will be considered valid.
Implementation
o Both components need an RBAC role to share the exemption token.
o A service account for the injector so that it can manipulate the exemption token.
o Add “UPDATE” back to the injector webhook YAML.
o A new annotation to carry the exemption token.
o Add code to the syncer that adds the exemption token to the Kubernetes secret that it is patching, using the new annotation
o Enable the injector and syncer to create, read, and, when specified, overwrite the exemption token Kubernetes secret.
o Enable the injector to check for the exemption token and complete without patching when it is present. It matches the value in the Kubernetes secret that the injector and syncer share.
Considerations
The injector will now have a service account, authenticate itself to the cluster, and have a role that reads a secret. In the current version, the injector has no rights to the cluster, nor is it aware of whether it is a part of one.
A malicious actor can theoretically steal the exemption token; however, any practical attack would require more access than the token would grant them.
TL;DR
A shared “exemption token” will be added to the injector and syncer such that the syncer adds the exemption token and the injector does not act on UPDATE the Kubernetes secret when the exemption token is present matching. A malicious actor would need more access to steal the exemption token than it is worth.
related AB#449116
The text was updated successfully, but these errors were encountered: