Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detail K8s RBAC description #649

Closed
commjoen opened this issue Feb 26, 2023 · 3 comments · Fixed by #672
Closed

Detail K8s RBAC description #649

commjoen opened this issue Feb 26, 2023 · 3 comments · Fixed by #672
Assignees
@madhuakula

Comments

@commjoen
Copy link
Collaborator

No description provided.

@madhuakula
Copy link
Member

Why Granular RBAC should I give and why can’t I store in k8s secrets when it's storing in etcd, which by default is encrypted?

So there are some risks & bypass cases, even when we use etcd encrypting with KMS. Mainly due to misconfigs of usage by users than maintainers:

Example:

  • Let's assume we have a secure-middleware namespace and we have two deployments running inside redis and ngrok
  • Let's assume we have 4 secrets in the secure-middleware namespace, and 1 of them is redis-master-secret which only should be accessed by redis deployment, and 2 others (defualt, xyz). Then we have the ngrok-api-key secret which only should be accessed by the ngrok service.
  • But due to poorly granular access the user was given following RBAC role for ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: secure-middleware
  name: ngrok-api-key
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

  • So if the attacker compromised ngrok service or someone who doesn’t have redis access within that team can still steal other stuff.

  • As the resources: ["secrets"] gives access to all the namespace level secrets which means they can read 4 secrets from this pod ServiceAccount.

export APISERVER=https://${KUBERNETES_SERVICE_HOST}
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
export CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets/redis-master-secret
  • So the RBAC policy ideally should as be below
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: secure-middleware
  name: ngrok-api-key
rules:
- apiGroups: [""]
  resourceNames: ["ngrok-api-key"]
  verbs: ["get", "watch", "list"]

@madhuakula
Copy link
Member

I have tried to add the docs here, let me know which page/challenge I should add. I can update there :)

@commjoen
Copy link
Collaborator Author

Thank you @madhuakula , can you extend https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge5_reason.adoc please?

@madhuakula madhuakula mentioned this issue Mar 8, 2023
Merged
8 tasks
commjoen added a commit that referenced this issue Mar 8, 2023
@commjoen
Merge pull request #672 from madhuakula/master
5707451 
Updated with #649 RBAC detailed description reason
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madhuakula madhuakula

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updated with #649 RBAC detailed description reason
2 participants
@commjoen @madhuakula