Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Secret References to hide sensitive data #223

Open
stevendborrelli opened this issue Apr 16, 2024 · 0 comments · May be fixed by #253
Open

Enable Secret References to hide sensitive data #223

stevendborrelli opened this issue Apr 16, 2024 · 0 comments · May be fixed by #253
Labels
enhancement New feature or request

Comments

@stevendborrelli
Copy link

What problem are you facing?

Management of K8s secrets leaks data in the Object that creates the Secret.

Kubernetes apply will publish the secret data in the annotation (see wontfix kubernetes/kubernetes#29923). This makes sense on the Secret itself, however provider-kubernetes includes the secret data in the Object annotations and in spec.forProvider.manifest

PR #193 addressed this in the object's status, but we are still leaking data in the managed Object.

For example, creating the following secret using a patch from another Secret will leak the data in spec.forProvider.manifest:

---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: secretpatch
spec:
  references:
  # Use patchesFrom to patch field from other k8s resource to this object
  - patchesFrom:
      apiVersion: v1
      kind: Secret
      name: secretpatch
      namespace: crossplane-system
      fieldPath: data.sensitive
    toFieldPath: data.key-from-secret
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        namespace: default
      data: {}
  providerConfigRef:
    name: kubernetes-provider
---
apiVersion: v1
kind: Secret
metadata:
  name: secretpatch
  namespace: crossplane-system
type: Opaque
data:
  sensitive: cGFzc3dvcmQ=
#  kubectl get object.kubernetes.crossplane.io/secretpatch   -o yaml
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  annotations:
    crossplane.io/external-create-pending: "2024-04-16T15:03:32Z"
    crossplane.io/external-create-succeeded: "2024-04-16T15:03:32Z"
    crossplane.io/external-name: secretpatch
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kubernetes.crossplane.io/v1alpha2","kind":"Object","metadata":{"annotations":{},"name":"secretpatch"},"spec":{"forProvider":{"manifest":{"apiVersion":"v1","data":{},"kind":"Secret","metadata":{"namespace":"default"}}},"providerConfigRef":{"name":"kubernetes-provider"},"references":[{"patchesFrom":{"apiVersion":"v1","fieldPath":"data.sensitive","kind":"Secret","name":"secretpatch","namespace":"crossplane-system"},"toFieldPath":"data.key-from-secret"}]}}
  creationTimestamp: "2024-04-16T15:03:32Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 3
  name: secretpatch
  resourceVersion: "361526"
  uid: 97cc668a-16ce-46a0-926c-8b0dbb79865c
spec:
  deletionPolicy: Delete
  forProvider:
    manifest:
      apiVersion: v1
      data:
        key-from-secret: cGFzc3dvcmQ=
      kind: Secret
      metadata:
        namespace: default
  managementPolicies:
  - '*'
  providerConfigRef:
    name: kubernetes-provider
  readiness:
    policy: SuccessfulCreate
  references:
  - patchesFrom:
      apiVersion: v1
      fieldPath: data.sensitive
      kind: Secret
      name: secretpatch
      namespace: crossplane-system
    toFieldPath: data.key-from-secret
status:
  atProvider:
    manifest:
      apiVersion: v1
      data:
        redacted: null
      kind: Secret
      metadata:
        annotations:
          kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","data":{"key-from-secret":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"namespace":"default"}}'
        creationTimestamp: "2024-04-16T15:03:32Z"
        managedFields:
        - apiVersion: v1
          fieldsType: FieldsV1
          fieldsV1:
            f:data:
              .: {}
              f:key-from-secret: {}
            f:metadata:
              f:annotations:
                .: {}
                f:kubectl.kubernetes.io/last-applied-configuration: {}
            f:type: {}
          manager: crossplane-kubernetes-provider
          operation: Update
          time: "2024-04-16T15:03:32Z"
        name: secretpatch
        namespace: default
        resourceVersion: "361522"
        uid: 49f2fad2-6670-4b0a-bfee-5be53faeeb1a
      type: Opaque
  conditions:
  - lastTransitionTime: "2024-04-16T15:03:32Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-04-16T15:03:32Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced

How could Crossplane help solve your problem?

I'm not sure what the proper solution is, some ideas I had:

  • Maybe we could have something like a SecretRef that pulls selected keys during the Observe loop.
  • Have a special Secret Object
  • Update patchesFrom to hide fields in the forProvider
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
1 participant
@stevendborrelli