Portainer Edge Agent security

[c3c]

Looking at the source code of Portainer Agent in Edge mode, it seems like it will always start the HTTP API in insecure mode.
https://github.com/portainer/agent/blob/develop/cmd/agent/main.go#L240-L241

While the regular Portainer Agent can require Mutual TLS, I don't see this option for Portainer Edge Agent.

Doesn't this mean that anyone on the bridge network (i.e. other containers) and other processes on the host can reach the Agent API interface (even when it's not EXPOSE'd) when it's in Edge mode? Considering containers can get compromised, wouldn't that introduce a security risk?

[deviantony]

Hi @c3c,

You are right, even if this was originally by design when we created the Edge agent with Swarm in mind: https://github.com/portainer/agent#api-server

We did not consider this as a problem when we open up support for the Edge agent on Docker standalone but we do think that this might lead to a security issue (even when running the agent in a Swarm cluster actually).

We're currently looking into this and one potential solution would be to re-use the Authentication mechanism of the regular agent mode (https://github.com/portainer/agent#authentication) without the HTTPS layer.

[huib-portainer]

More details in portainer/portainer#5498