-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
21 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,7 +39,7 @@ In order to execute Terraform recipes, Applications RP installs latest Terraform | |
|
|
||
| In order to deploy bicep recipes, Applications RP sends a request to UCP, which in turn forwards it to Deployment Engine. | ||
|
|
||
| The RP uses a queue to process requests asyncronously. Information about resources that are deployed / being deployed is stored in a datastore. | ||
| The RP uses a queue to process requests asynchronously. Information about resources that are deployed / being deployed is stored in a datastore. | ||
|
|
||
| Sample high level flow: | ||
|
|
||
|
|
@@ -72,7 +72,7 @@ Below is a high level overview of various key subcomponents in Applications RP | |
|
|
||
| 1. **Computing the Hash for Terraform Backend Configuration**: [Link to code](https://github.com/radius-project/radius/blob/main/pkg/recipes/terraform/config/backends/kubernetes.go#L110). | ||
|
|
||
| 1. **Purpose**: The purpose of computing the hash is to compute a key for kubernetes secret which has the etrraform backend config | ||
| 1. **Purpose**: The purpose of computing the hash is to compute a key for kubernetes secret which has the Terraform backend config | ||
| 2. **Library**: The library used to calculate the hash of the deployment configuration is the crypto library, which is one of the standard libraries of Go: [Link to library](https://pkg.go.dev/[email protected]). | ||
| 3. **Type**: [SHA1](https://www.rfc-editor.org/rfc/rfc3174.html). Note: "SHA-1 is cryptographically broken and should not be used for secure applications." [Link to warning](https://pkg.go.dev/crypto/[email protected]). This is used as an optimization for detecting changes, not as a security protection. | ||
|
|
||
|
|
@@ -82,7 +82,7 @@ Below is a high level overview of various key subcomponents in Applications RP | |
|
|
||
| Applications RP has access to sensitive information related to the application resource it manages as well as the cloud credentials it requires for managing cloud resources on Azure and AWS. | ||
|
|
||
| ##### Managing cloud credentails | ||
| ##### Managing cloud credentials | ||
|
|
||
| Applications RP requires AWS and Azure credentials for accessing and managing resources in cloud. It fetches credentials using UCP Secret Provider library. | ||
| Credentials are not available for retrieval through API. The RP also supports [federated identity](https://docs.radapp.io/guides/operations/providers/overview) for both Azure and AWS. Unless there is a limitation that prevents using federated identity, users should prefer using this since it removes the need to store secrets. | ||
|
|
@@ -95,7 +95,7 @@ Applications RP provides a secret store which can be used to store sensitive inf | |
|
|
||
| ###### Managing secrets for datastores | ||
|
|
||
| Applications RP service has a Datastore RP. This RP is the resource provider for datstores such as SQL database, Mongo DB and Redis Cache. As of today, sensitive information such as DB connection string, user/ password that is required to provision these resources is stored in plain text. The feature which enables datastores to use a secret store is in progress. Once the support is in, we will remove the ability to supply plain text secrets. Until the feature is available, we recommend the users use recipes to deploy datastores. | ||
| Applications RP service has a Datastore RP. This RP is the resource provider for datastores such as SQL database, Mongo DB and Redis Cache. As of today, sensitive information such as DB connection string, user/ password that is required to provision these resources is stored in plain text. The feature which enables datastores to use a secret store is in progress. Once the support is in, we will remove the ability to supply plain text secrets. Until the feature is available, we recommend the users use recipes to deploy datastores. | ||
| ref: [Extending use cases for Radius secret stores](https://github.com/radius-project/design-notes/blob/6a05f7e736e62070f9d9bca50cb1a9b2bec8aa35/resources/2024-07-secretstore-feature-spec.md) | ||
|
|
||
| #### Access to cluster | ||
|
|
@@ -108,15 +108,15 @@ The Applications RP can create ingress Kubernetes objects. While deploying a Rad | |
|
|
||
| #### Bicep Recipe execution | ||
|
|
||
| Bicep recipes can provision arbitrary infrastructure resources in the cloud, and are provided by users. In order to execute a Bicep recipe, Applications RP's Recipe Engine first authenticates with a OCI compliant registry and then downloads the recipe from it. RP uses the stored Azure credentials to authenticate with the registry. RP also supports federated credentials. When enabled, RP uses this to authenticate with the registry. Whenever possible, federated identies should be preferred and used for robust security. After retrieving the Bicep recipe, the RP requests UCP to deploy it. | ||
| Bicep recipes can provision arbitrary infrastructure resources in the cloud, and are provided by users. In order to execute a Bicep recipe, Applications RP's Recipe Engine first authenticates with a OCI compliant registry and then downloads the recipe from it. RP uses the stored Azure credentials to authenticate with the registry. RP also supports federated credentials. When enabled, RP uses this to authenticate with the registry. Whenever possible, federated identities should be preferred and used for robust security. After retrieving the Bicep recipe, the RP requests UCP to deploy it. | ||
|
|
||
| By default, the communication with registries use TLS. We allow plain text download of the recipes with locally hosted registry which might not have TLS capabilities. This is not recommended unless absolutely neccessary, to avoid any potential modification to the recipes. | ||
| By default, the communication with registries use TLS. We allow plain text download of the recipes with locally hosted registry which might not have TLS capabilities. This is not recommended unless absolutely necessary, to avoid any potential modification to the recipes. | ||
|
|
||
| #### Terraform Recipe execution | ||
|
|
||
| Terraform recipes are download from internet too. We support public and private modules as well as different kinds of authentication. Terraform modules can be downloaded only on TLS. | ||
|
|
||
| Terraform downloads providers from the internet onto an empty directory `/terraform` which is mounted into the applications RP pod and executes them. This means that these providers have access to the network, filesystem, and environment variables, as well as the running memory of Applications RP. Terraform communicates with AWS as needed to deploy resources. | ||
| Terraform downloads providers from the internet onto an empty directory `/terraform` which is mounted into the applications RP pod and executes them. This means that these providers have access to the network, file system, and environment variables, as well as the running memory of Applications RP. Terraform communicates with AWS as needed to deploy resources. | ||
|
|
||
| Terraform containerization efforts are in progress, which aims to overcome the above mentioned security challenges. | ||
|
|
||
|
|
@@ -164,7 +164,7 @@ Below are the key points associated with data flow: | |
| 1. Applications RP receives request to deploy resources from UCP and sends back appropriate response. | ||
| 2. Depending on the resource to be deployed Applications RP takes the next step | ||
| 1. If the request is to deploy a recipe, Applications RP first downloads the recipe from a OCI registry (for bicep) or public module (for terraform) | ||
| 2. Applications RP requests UCP to deploy bicep recipes. Or if its a Terraform recipe, the downloaded recipe is exceuted using the installed terraform, in the empty terraform directory mounted into the Applications RP pod. As part of this executiion, Terraform integrated in RP makes AWS and Azure API calls. | ||
| 2. Applications RP requests UCP to deploy bicep recipes. Or if its a Terraform recipe, the downloaded recipe is executed using the installed terraform, in the empty terraform directory mounted into the Applications RP pod. As part of this execution, Terraform integrated in RP makes AWS and Azure API calls. | ||
| 3. If it is a kubernetes resource such as container, the RP interacts with API server to render the resource. | ||
| 3. Application RP uses API server to save Radius resources and Async Operations By default, API Server is used as Radius Datastore and Queue. | ||
|
|
||
|
|
@@ -178,7 +178,7 @@ If a malicious actor can impersonate Applications RP, requests from UCP will be | |
|
|
||
| **Impact:** | ||
| All data sent from UCP to Applications RP will be available to the malicious actor, such as payloads of resources. These payloads can disclose information about Application resources. | ||
| The impersonator would also be able to retreive credentials through UCP. The credentials can be used to create and consume Azure and AWS resources. The impersonator could also update Environment recipe links to use an outdated/ vulnerable version of the resource. | ||
| The impersonator would also be able to retrieve credentials through UCP. The credentials can be used to create and consume Azure and AWS resources. The impersonator could also update Environment recipe links to use an outdated/ vulnerable version of the resource. | ||
|
|
||
| **Mitigations:** | ||
|
|
||
|
|
@@ -212,7 +212,7 @@ Pending | |
| If a malicious actor could sniff communication between the applications RP and the UCP, the actor could modify/replay the packets. | ||
|
|
||
| **Impact:** | ||
| A malicious actor could use the information about the resources and operations in progress. They can also replay the same requests to cause a DDoS or send a modified payload to cause inadvertant changes to application. | ||
| A malicious actor could use the information about the resources and operations in progress. They can also replay the same requests to cause a DDoS or send a modified payload to cause inadvertent changes to application. | ||
|
|
||
| **Mitigations** | ||
|
|
||
|
|
@@ -226,7 +226,7 @@ A malicious actor could use the information about the resources and operations i | |
|
|
||
| 2. Pending. We should add support in Radius to use mTLS as communication protocol between UCP and Applications RP. | ||
|
|
||
| #### Using recipes can cause escalation of priviledge | ||
| #### Using recipes can cause escalation of privilege | ||
|
|
||
| **Description** | ||
| A malicious user could become the admin, and configure recipes to create / update resources without having permissions to access these resources directly. | ||
|
|
@@ -237,15 +237,15 @@ This can facilitate the attackers to create resources based on any arbitrary ima | |
| **Mitigations** | ||
| 1. Ability to register recipes should be given to only trusted employees. This in will be possible once Radius to support RBAC. | ||
|
|
||
| 2. Since each application resource is deployed in the application's namespace, we can use Kubernetes RBAC to confine potential security implications to the application's namepsace. | ||
| 2. Since each application resource is deployed in the application's namespace, we can use Kubernetes RBAC to confine potential security implications to the application's namespace. | ||
|
|
||
| 3. Any container launched by Radius is subject to Kubernetes as the platform. Users should configure their Kubernetes cluster to ensure that pods are created only from images hosted on trusted URLs or registries. | ||
|
|
||
| 4. Users should configure RBAC of Radius with principle of least privilege so that blast radius of any security incidents involving Radius is minimized. | ||
|
|
||
|
|
||
| **Status** | ||
| 1. Pending. We should implement Radius RBAC and then use the feature to restrict recipe registeration to only trusted employees. | ||
| 1. Pending. We should implement Radius RBAC and then use the feature to restrict recipe registration to only trusted employees. | ||
|
|
||
| 2. Active. Operators are expected limit access so that an application in its own namespace cannot by affected by application in another namespace. | ||
|
|
||
|
|
@@ -259,7 +259,7 @@ This can facilitate the attackers to create resources based on any arbitrary ima | |
| Application definitions could create pods from any arbitrary image. This container executes code, and it can potentially lead to misuse of cluster resources. | ||
|
|
||
| **Impact** | ||
| These containers can then potentially expose secrets, overconsume resources or create several resources, delete important infrasture etc. | ||
| These containers can then potentially expose secrets, overconsume resources or create several resources, delete important infrastructure etc. | ||
|
|
||
| **Mitigations** | ||
| 1. Application definition and images and recipes used should be reviewed and only authorized users should be able to create and deploy application definitions. Radius RBAC could enable only trusted users to manage application definition recipe configurations and deployment. | ||
|
|
@@ -274,7 +274,7 @@ These containers can then potentially expose secrets, overconsume resources or c | |
|
|
||
| #### Applications RP has the a ability to create managed identities which if misused can lead to Escalation of Privilege | ||
|
|
||
| **Description:** If a malicious actor uses Radius, they could deploy Azure managed identity which could provide escalated priviledges to users. | ||
| **Description:** If a malicious actor uses Radius, they could deploy Azure managed identity which could provide escalated privileges to users. | ||
|
|
||
| **Impact:** A malicious actor use this ability to gain inappropriate access to azure resources. | ||
|
|
||
|
|
@@ -288,7 +288,7 @@ Pending. This mitigation requires RBAC support in radius. | |
|
|
||
| ## Open Questions | ||
|
|
||
| Nonewip | ||
| None | ||
|
|
||
| ## Action Items | ||
|
|
||
|
|
||