-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Protect a ServiceAccount token within a namespace #2962
Comments
@gabemontero I created this issue to document the security issue that I described in a design doc earlier. I don't yet know how to solve it, but this is probably a security blocker for us. |
This part is kind of hard right now, and I agree might need some thinking. The basic solution for this with RBAC would be to give developers something like this:
However, the developers can just use TaskRuns with embedded Task definitions, which would not require them to create a new Task. |
Granting a user the privilege to create a TaskRun or PipelineRun is really no different from granting the privilege to create a Job, Deployment, or StatefulSet. By that I mean that like it or not you've granted the ability to "indirectly" create a pod with any SystemAccount in the namespace and from there act as that user. Maybe OPA would be something that you could use to provide selective access however I've made my peace with this and just separate resources by namespace. |
cc @font |
Cool thanks @jlpettersson .... yeah I refrained from diving into your specific scenario when I was on the schedule in the API WG since you couldn't make it that day. As to how to solve it, and admission webhook is the only thing that comes to mind for me. Whether that admission webhook leverages OPA to enforce which SAs are used (OPA integrates into k8s via admission webhooks), or some other specific use case logic in the webhook, could be considered an implementation detail. |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
/remove-lifecycle-stale I touch upon this scenario, including my protoype to implement things along these lines, in my TEP tektoncd/community#152 , as well as a recent demo that @jlpettersson and I discussed briefly in Tekton slack Once I complete the TEP and we start documeint how this could be down with say OPA (including pointing to upstream OPA catalogs with "productized" examples, though we are not going to host "productized" policies for any of the catalogs in tekton itself) I think that could be sufficient to close this out, our at least propose so to @jlpettersson |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
/remove-lifecycle rotten |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
@jlpettersson any chance in your opinion my write up of solving this via policy engines like OPA/gatekeeper (or more recently kyverno as well as my feature requests to the to add support for CRDs has landed) is a sufficient enough explanation for saying this item is solved? I'll qualify that question minimally with the community stance declared in that TEP around deferring RBAC type scenarios to third party policy engine solutions, where adding of "native" RBAC systems of this ilk were rejected. |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Feature request
Provide documentation on how to protect sensitive tokens within a CI/CD namespace
Use case
For a CI/CD-system for a larger company, a few things are important:
To fulfill the points listed above, some security mechanism needs to be added on-top of a Tekton installation. Using OpenPolicyAgent may potentially be a part of such a solution. It would be good to have a solution documented.
More details:
A CI/CD-system that fulfills the requirements above, may be installed as a Pipeline + Trigger within a namespace. Also a token or a ServiceAccountToken with access to production environment must probably exists within the namespace. Since the namespace contains Secrets/tokens that developers must not have access to, developers must not have access to the namespace - but to the Git repository that is configured to initiate the Trigger.
More specific security problem:
The token or ServiceAccountToken with production access, must only be used for a "verified" deployment ClusterTask. E.g. developers must not be able to create a print-token-task and use the ServiceAccountToken with that task.
The text was updated successfully, but these errors were encountered: