-
-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detail K8s RBAC description #649
Comments
Why Granular RBAC should I give and why can’t I store in k8s secrets when it's storing in etcd, which by default is encrypted? So there are some risks & bypass cases, even when we use etcd encrypting with KMS. Mainly due to misconfigs of usage by users than maintainers: Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: secure-middleware
name: ngrok-api-key
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
export APISERVER=https://${KUBERNETES_SERVICE_HOST}
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
export CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets/redis-master-secret
|
I have tried to add the docs here, let me know which page/challenge I should add. I can update there :) |
Thank you @madhuakula , can you extend https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge5_reason.adoc please? |
Updated with #649 RBAC detailed description reason
No description provided.
The text was updated successfully, but these errors were encountered: