Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature flag to disable log browser #4737

Closed
larhauga opened this issue Feb 15, 2022 · 14 comments
Closed

Feature flag to disable log browser #4737

larhauga opened this issue Feb 15, 2022 · 14 comments
Assignees
Labels
backlog Triaged Issue added to backlog enhancement This is the preferred way to describe new end-to-end features. requires helm chart PR requires operator PR It requires update in operator code

Comments

@larhauga
Copy link

Hi, it would be nice if it was possible to turn off the logs browser for workloads.

My use case

Logs can contain sensitive information that we dont want accessible through the kiali dashboards.

@larhauga larhauga added the enhancement This is the preferred way to describe new end-to-end features. label Feb 15, 2022
@jmazzitelli
Copy link
Collaborator

isn't the logs a RBAC permission you can disable per user? e.g. the service account for the user can just be denied pods/log read permission.

@larhauga
Copy link
Author

isn't the logs a RBAC permission you can disable per user? e.g. the service account for the user can just be denied pods/log read permission.

Hi, thanks for your quick reply.
I am running an EKS with no external OIDC currently, and user RBAC is thus not enabled.
I am using the operator, and have not found any way of generally disabling the pod/log rbac for kiali.

Do you know if there is any way of removing the log rbac permission with the operator; or is the only solution available to me to roll my own deployment?
I currently see no good solutions to ensuring that logs are not available; in a pretty basic setup of kiali (operator+view-only mode). Any help is really appreciated :)

@jmazzitelli
Copy link
Collaborator

What auth strategy are you using? In your Kiali CR, what is "spec.auth.strategy" set to?

@larhauga
Copy link
Author

What auth strategy are you using? In your Kiali CR, what is "spec.auth.strategy" set to?

Right now auth.strategy=anonymous, but planing to migrate to openid but possible with disable_rbac: true as rbac is currently mapped to aws sso.

@jmazzitelli
Copy link
Collaborator

Using auth.strategy of anonymous means ANYONE with access to the Kiali URL can get into the Kiali UI. If you use that in production, I suspect you have more things to worry about than just leaking log messages :)

But regardless of that, the current workaround that you can employ is: remove the pods/log permission that is given to the Kiali service account. So you would need to remove this permission from the kiali-viewer role: https://github.com/kiali/kiali-operator/blob/master/roles/default/kiali-deploy/templates/kubernetes/role-viewer.yaml#L14

@jshaughn
Copy link
Collaborator

logs come through the k8s api, not sure if you can disable logs at the k8s layer.

@jmazzitelli
Copy link
Collaborator

logs come through the k8s api, not sure if you can disable logs at the k8s layer.

AFAIK only if the user has been denied access by not giving the user that pods/log permission.

@lucasponce
Copy link
Contributor

@larhauga just to confirm the scenario:

  • The users can not access the cluster using any tool like "kubectl" or similar.
  • But the users can access Kiali

Is that right?

@larhauga
Copy link
Author

Thanks for the response!
@lucasponce the scenario is correct.
I needed to solve this with a hack in istio, as the roles are integrated in the operator.
However, this is not a long time solution, as I am afraid that changes to the kiali api would rename the logs endpoint.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-logs
spec:
  action: DENY
  rules:
  - to:
    - operation:
        paths: ["*/logs"]
      #paths: ["/kiali/api/namespaces/*/pods/*/logs"]  # this is the path, but istio only handles suffix match

@jmazzitelli
Copy link
Collaborator

jmazzitelli commented Feb 25, 2022

This is an interesting enhancement request and conceivably could be expanded.

The issue as I see it is "don't allow the user to even SEE something, even in view-only mode".

We added that "view-only" mode because people want to allow users to SEE things but not MODIFY things.

But this takes that feature a step further - even if Kiali is in view-only mode (but not required to be), there are a subset of data that you might not want users to even SEE.

Perhaps we need a feature flag group to allow us to do something in the future to hide other things in the UI (not just logs).

Something like:

spec:
  feature_flags:
    kiali_disabled_features:
    - log_view
    - tracing_view
    - ...anything else we want...

I don't know if that is thinking too hard about this problem. If so, and we don't think we will have any other features we want to disable in the future, we could just add a boolean spec.feature_flags.disable_log_view.

@jshaughn jshaughn added the backlog Triaged Issue added to backlog label Mar 8, 2022
@jmazzitelli jmazzitelli self-assigned this Mar 23, 2022
jmazzitelli added a commit to jmazzitelli/helm-charts that referenced this issue Mar 23, 2022
jmazzitelli added a commit to jmazzitelli/kiali-operator that referenced this issue Mar 23, 2022
jmazzitelli added a commit to jmazzitelli/kiali-operator that referenced this issue Mar 23, 2022
jmazzitelli added a commit to jmazzitelli/kiali-operator that referenced this issue Mar 23, 2022
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 23, 2022
@jmazzitelli jmazzitelli added requires operator PR It requires update in operator code requires helm chart PR labels Mar 23, 2022
@jmazzitelli
Copy link
Collaborator

jmazzitelli commented Mar 23, 2022

jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 23, 2022
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 24, 2022
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 24, 2022
jmazzitelli added a commit to jmazzitelli/kiali-operator that referenced this issue Mar 24, 2022
jmazzitelli added a commit to jmazzitelli/kiali-operator that referenced this issue Mar 24, 2022
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 24, 2022
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 24, 2022
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Mar 29, 2022
jmazzitelli added a commit to kiali/helm-charts that referenced this issue Mar 31, 2022
* provide the ability to disable features

part of: kiali/kiali#4737

* changing feature name to logs-tab
jmazzitelli added a commit to kiali/kiali-operator that referenced this issue Mar 31, 2022
* provide the ability to disable features

part of: kiali/kiali#4737

* changing feature name to logs-tab
jmazzitelli added a commit that referenced this issue Mar 31, 2022
* provide the ability to disable features

part of: #4737

* changing feature name to logs-tab

* if things are disabled, add message at login

* UI notification of disabled features

* fix the INFO notification color and icon.
fixes: #4871

* hide the popup notification

* fail fast if the feature name is invalid.
@jmazzitelli
Copy link
Collaborator

feature implemented and merged in master

@ANGkeith
Copy link

ANGkeith commented Oct 8, 2022

I suspect you have more things to worry about than just leaking log messages :)
Thank you very much for implementing this feature!

Supposed the ui is being ipwhitelisted to only trusted IPs, and kiali is run in view-only mode.

What will be the other things that we'll need to be worried about ?

@jmazzitelli
Copy link
Collaborator

What will be the other things that we'll need to be worried about ?

I only made that remark because the person said they were using "anonymous" strategy - so anyone that can access the Kiali URL could see everything in Kiali (even if view-only mode) - so all your Istio resources (the Virtual Services, the Destination Rules, etc, etc) along with the graph of the entire mesh, for example, would be things exposed.

If you feel you have limited the access to the Kiali UI to only those people you want to grant access, then you should be Ok. Otherwise, just look at the Kiali UI and see all the things you can see (traces, metrics, mesh graph, Istio resources). There may be some of those things you don't want to leak to unauthorized persons. This is why it is not recommended to use "anonymous" auth.strategy - integrate Kiali with your auth system like OpenID to have true RBAC security.

Matiasmct pushed a commit to giffgaff/kiali-charts-backup that referenced this issue Nov 11, 2022
* provide the ability to disable features

part of: kiali/kiali#4737

* changing feature name to logs-tab
yzzeee pushed a commit to yzzeee/kiali that referenced this issue Jul 10, 2023
* provide the ability to disable features

part of: kiali/kiali#4737

* changing feature name to logs-tab

* if things are disabled, add message at login

* UI notification of disabled features

* fix the INFO notification color and icon.
fixes: kiali/kiali#4871

* hide the popup notification

* fail fast if the feature name is invalid.
yzzeee pushed a commit to yzzeee/kiali that referenced this issue Jul 10, 2023
* provide the ability to disable features

part of: kiali/kiali#4737

* changing feature name to logs-tab

* if things are disabled, add message at login

* UI notification of disabled features

* fix the INFO notification color and icon.
fixes: kiali/kiali#4871

* hide the popup notification

* fail fast if the feature name is invalid.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backlog Triaged Issue added to backlog enhancement This is the preferred way to describe new end-to-end features. requires helm chart PR requires operator PR It requires update in operator code
Projects
None yet
Development

No branches or pull requests

5 participants