Skip to content
This repository was archived by the owner on Jul 26, 2022. It is now read-only.

Specifying unique vaultRole per external secrets result in permission denied for all but one #487

Closed
pault28 opened this issue Sep 18, 2020 · 4 comments · Fixed by #488
Closed

Specifying unique vaultRole per external secrets result in permission denied for all but one #487

pault28 opened this issue Sep 18, 2020 · 4 comments · Fixed by #488

Comments

@pault28
Copy link

pault28 commented Sep 18, 2020

Version: godaddy/kubernetes-external-secrets:4.2.0
We have a permission strategy in vault which gives each kubernetes auth backend role permission to specific path in vault.
Using these roles for different external secrets results in permission denied for all but the ones with one of the roles.
How does the authentication works:

  • Does it login as a role and keeps renewing the provided token? and when it process a secret that is defined with a different role it still tries to access the secret in vault using that logged on role?
  • Is there a way to support multiple controllers that will logon with different roles?

As an example, given these two secrets, one will always succeed and the other will fail during sync.

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: test
  namespace: test_role
spec:
  backendType: vault
  vaultMountPoint: kubernetes-dev
  vaultRole: test-role #example role
  kvVersion: 1
  data:
    - name: password
      key: secret/Test/test_role
      property: password

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: test
  namespace: test_role2
spec:
  backendType: vault
  vaultMountPoint: kubernetes-dev
  vaultRole: test-role2  #example role 2
  kvVersion: 1
  data:
    - name: password
      key: secret/Test/test_role2
      property: password
@megakid
Copy link
Contributor

megakid commented Sep 18, 2020

This seems related to #457

If KES is caching the login token then that login token can only be for a single vault role. Does KES need to be a little smarter and cache a map of roles -> tokens and look up (& potentially renew these) as necessary?

@megakid megakid mentioned this issue Sep 19, 2020
Merged
@KouriR
Copy link

KouriR commented Sep 22, 2020
edited
Loading

Ideally you could specify a service account as well, and KES would read the JWT from the service account and use that in the auth.
See #474

@pault28
Copy link
Author

pault28 commented Sep 22, 2020

Agree @KouriR . Granting the service account multiple vault roles is acceptable as long as you lock down the service account namespace. Users in other namespace simply say what role they are using (which should be the one assigned to them/team).

Using multiple service accounts will require multiple deployments of KES.

@KouriR
Copy link

KouriR commented Sep 22, 2020

Giving the KES operator access to all your roles does not work in a multitenant environment. A malicious user can simply specify a role which they should not have access to.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cache Vault clients/tokens on a per-role&mountpoint basis. megakid/kubernetes-external-secrets
3 participants
@KouriR @megakid @pault28