You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the group level in a job spec, Nomad will check the vault version. In the default case, this is a good idea. However, some customer choose to restrict the Version info from the /health endpoints. Obfuscating the Vault version is just one more way to prevent information an attacker might need if your Vault endpoint is publicly exposed.
Unfortunately, this will cause a jobspec to fail even when a perfectly working Vault instance is up and running. Even more interestingly, is that Nomad has already
At the group level and bypass this limitation, but I think it would be clearer for the users to expose a config option (which by default, represents current behavior) that allows us to disable this constraint check.
Thoughts?
The text was updated successfully, but these errors were encountered:
Hi @adawalli ! Thanks for raising the issue. We'd like to get more input, as we haven't run into this scenario in the past, and not being able to detect the Vault version may hinder us from coping with backward incompatible changes in Vault effectively. I'm glad that you found an alternative.
Would love to get more prospective on the motivation behind masking the value and what threat model you are considering here. Curious how you are masking the version and what is it set at? Did you considering setting an arbitrary large version (e.g. 99.99.99)? I also realize that these decisions might be out of your control ;-).
I was also told It's common practice to avoid exposing versions of software being run on public services to avoid vulnerability scans and potential targeted attacks
As far as the Version hiding, I believe it's done through some gateway magic, but I am not sure offhand.
Nomad version
Nomad v0.12.0 (8f7fbc8e7b5a4ed0d0209968faf41b238e6d5817)
Issue
At the group level in a job spec, Nomad will check the vault version. In the default case, this is a good idea. However, some customer choose to restrict the Version info from the
/health
endpoints. Obfuscating the Vault version is just one more way to prevent information an attacker might need if your Vault endpoint is publicly exposed.Unfortunately, this will cause a jobspec to fail even when a perfectly working Vault instance is up and running. Even more interestingly, is that Nomad has already
/sys/init/sys/health
endpoint successfully (thanks to Skip checking Vault health #8524)all before deciding that it won't fetch a token for a client against a vault policy.
This means you will the following error
Now, in my case, I can thankfully add
At the group level and bypass this limitation, but I think it would be clearer for the users to expose a config option (which by default, represents current behavior) that allows us to disable this constraint check.
Thoughts?
The text was updated successfully, but these errors were encountered: