Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue #199

Open
ric79 opened this issue Nov 30, 2020 · 2 comments
Open

Security issue #199

ric79 opened this issue Nov 30, 2020 · 2 comments
Labels
enhancement New feature or request

Comments

@ric79
Copy link

ric79 commented Nov 30, 2020

Hello,
I have a security issue.
For starting the automation I need to pass the --kube-config file where there are in plain test the infrastructure credentials.
For this reason, I cannot use the tool in production. Is it possible to solve the problem.

Un solution is to use an ansible-like approach. For example, the kube-config could be passed also encrypted. Your internal parser then could look for an environment key (KUBETEST_DECRYPT_KEY) for decrypting it. This is a standard solution where the inventories are encrypted and for running you need a key.

Riccardo
@edaniszewski
Copy link
Contributor

Thanks for opening up the issue -- sorry I didn't get to it sooner. This definitely seems like something that can be implemented. The approach you suggested seems like it would be pretty feasible to implement.

I'm spread a bit thin right now, so I can't get to this right away, but I'll definitely put it on my roadmap for the near future.

@edaniszewski edaniszewski added the enhancement New feature or request label Dec 16, 2020
@danquack
Copy link
Contributor

danquack commented Jan 3, 2021

@ric79 can you provide an example of what the contents of an encrypted config would look like?

One work around my team did in this is loading the config, then setting the encrypted portions within python itself (pulling from a remote source). Not sure if this is similar to what you are trying to do, but here's a simplified version of the overrides. In this example, the secret portion is the account id and a variable, but I imagine you can extrapolate this to whatever your use case is.

def create_sa(kube, secret_role_name):
    """
    A helper function to create service account
    """
    sa = kube.load_serviceaccount("configs/sa.yaml")
    account_id = client('sts').get_caller_identity()["Account"]
    role_arn = f"arn:aws:iam::{account_id}:role/{secret_role_name}"
    sa.obj.metadata.annotations['eks.amazonaws.com/role-arn'] = role_arn
    return sa

def test_create_sa(kube, secret_role_name):
    """
    A function to test the creation of a service account
    Goal: This will test the ability to interface with the k8s cli
    """
    kube.namespace = "dev"
    patch_namespace(kube.namespace)

    sa = create_sa(kube, secret_role_name)
    kube.create(sa)
    assert sa.is_ready()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@edaniszewski @ric79 @danquack