diff --git a/CHANGELOG.md b/CHANGELOG.md index cbc7f256af8..b18ae16844a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,6 +60,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - **General:** Add support to use pod identities for authentication in Azure Key Vault ([#3813](https://github.com/kedacore/keda/issues/3813) - **General:** Support disable keep http connection alive([#3874](https://github.com/kedacore/keda/issues/3874) - **General:** Improve the function used to normalize metric names ([#3789](https://github.com/kedacore/keda/issues/3789) +- **General:** Support Restrict Secret Access to mitigate the security risk ([#3668](https://github.com/kedacore/keda/issues/3668) - **Apache Kafka Scaler:** SASL/OAuthbearer Implementation ([#3681](https://github.com/kedacore/keda/issues/3681)) - **Azure AD Pod Identity Authentication:** Improve error messages to emphasize problems around the integration with aad-pod-identity itself ([#3610](https://github.com/kedacore/keda/issues/3610)) - **Azure Event Hub Scaler:** Support Azure Active Direcotry Pod & Workload Identity for Storage Blobs ([#3569](https://github.com/kedacore/keda/issues/3569)) diff --git a/adapter/main.go b/adapter/main.go index 6bd9b6a91a2..cd7e428a769 100644 --- a/adapter/main.go +++ b/adapter/main.go @@ -145,6 +145,8 @@ func (a *Adapter) makeProvider(ctx context.Context, globalHTTPTimeout time.Durat logger.Error(err, "Unable to get cluster object namespace") return nil, nil, err } + // the namespaced kubeInformerFactory is used to restrict secret informer to only list/watch secrets in KEDA cluster object namespace, + // refer to https://github.com/kedacore/keda/issues/3668 kubeInformerFactory := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClientset, 1*time.Hour, kubeinformers.WithNamespace(objectNamespace)) secretInformer := kubeInformerFactory.Core().V1().Secrets() diff --git a/main.go b/main.go index 5b8ed8089a6..d4e31ee389f 100644 --- a/main.go +++ b/main.go @@ -17,7 +17,6 @@ limitations under the License. package main import ( - "context" "flag" "fmt" "os" @@ -172,6 +171,8 @@ func main() { setupLog.Error(err, "Unable to get cluster object namespace") os.Exit(1) } + // the namespaced kubeInformerFactory is used to restrict secret informer to only list/watch secrets in KEDA cluster object namespace, + // refer to https://github.com/kedacore/keda/issues/3668 kubeInformerFactory := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClientset, 1*time.Hour, kubeinformers.WithNamespace(objectNamespace)) secretInformer := kubeInformerFactory.Core().V1().Secrets() @@ -242,7 +243,7 @@ func main() { setupLog.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH)) setupLog.Info(fmt.Sprintf("Running on Kubernetes %s", kubeVersion.PrettyVersion), "version", kubeVersion.Version) - ctx := context.Background() + ctx := ctrl.SetupSignalHandler() kubeInformerFactory.Start(ctx.Done()) if ok := cache.WaitForCacheSync(ctx.Done(), secretInformer.Informer().HasSynced); !ok { @@ -250,7 +251,7 @@ func main() { os.Exit(1) } - if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") os.Exit(1) } diff --git a/pkg/util/env_resolver.go b/pkg/util/env_resolver.go index 319af51bddc..99b828dfe79 100644 --- a/pkg/util/env_resolver.go +++ b/pkg/util/env_resolver.go @@ -57,6 +57,7 @@ func ResolveOsEnvDuration(envName string) (*time.Duration, error) { return nil, nil } +// GetClusterObjectNamespace retrieves the cluster object namespace of KEDA, default is the namespace of KEDA Operator & Metrics Server func GetClusterObjectNamespace() (string, error) { // Check if a cached value is available. if clusterObjectNamespaceCache != nil { @@ -79,4 +80,4 @@ func GetClusterObjectNamespace() (string, error) { // GetRestrictSecretAccess retrieves the value of the environment variable of KEDA_RESTRICT_SECRET_ACCESS func GetRestrictSecretAccess() string { return os.Getenv(RestrictSecretAccessEnvVar) -} \ No newline at end of file +}