Skip to content

surajssd/k8s-secret-access-validator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
config
config
 
 
pkg/webhook
pkg/webhook
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Kubernetes Secret Access Validator

This is a Kubernetes validating webhook which checks if a user is requesting access to secret covertly. A user can access a secret even if they don't have access to it by creating a pod and mounting that secret in the pod. All they have to know is secret name.

This webhook server checks the incoming pod requests and verifies if the user creating the pod has RBAC access to the specified secret. If the user does not have RBAC access to the secret then the request is denied.

Prerequisite

Install

cd config
helm repo update
helm dependency update
helm install validate-secrets \
    --create-namespace \
    --namespace validate-secrets \
    .

Trying it out

We will try to recreate the scenario explained in this blog post, which shows how a user can access any secret even if they don't have RBAC permission to access it.

Once you install the above webhook server, create a test user that has access to pod, but not to secrets.

kubectl -n default create role pod-all --verb=* --resource=pods --resource=pods/exec
kubectl -n default create rolebinding pod-all:nastyuser --role=pod-all --user=nastyuser
kubectl -n default create secret generic supersecret --from-literal data=supersecretvaluesinhere
alias kubectl='kubectl -n default --as=nastyuser'
kubectl -n default auth can-i --list

Save this pod config in pod.yaml and we will try to deploy it:

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: sleep
  name: sleep
spec:
  containers:
  - args:
    - sleep
    - infinity
    image: fedora
    name: sleep
    resources: {}
    volumeMounts:
    - name: hackedsecret
      mountPath: /access-secret/
  dnsPolicy: ClusterFirst
  restartPolicy: Always
  volumes:
  - name: hackedsecret
    secret:
      secretName: supersecret

Try to deploy it:

$ kubectl create -f pod.yaml
Error from server: error when creating "pod.yaml": admission webhook "validating.suraj.io" denied the request: User "nastyuser" does not have access to the secret "supersecret" in the namespace "default".

It failed with an error saying that the user cannot deploy this particular pod.

Upgrade

helm upgrade validate-secrets \
    --namespace validate-secrets \
    .

Uninstall

helm uninstall validate-secrets -n validate-secrets
helm template validate-secrets . | kubectl delete -f -
kubectl delete ns validate-secrets

Missing features

  • Add Readiness and Liveness probes.
  • Add support for checking the group permissions.
  • Add unit tests.
  • Add support for Deployment, StatefulSets, Job, CronJob, Daemonset, etc. or any in built controller type that has pod spec in it.
  • Create a library that anyone can import it in their webhook server.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

5 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages