Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document system:authenticated group usage in GKE #1448

Open
alemorcuq opened this issue Jan 25, 2024 · 3 comments
Open

Document system:authenticated group usage in GKE #1448

alemorcuq opened this issue Jan 25, 2024 · 3 comments
Labels
backlog Issues/PRs that will be included in the project roadmap documentation good first issue

Comments

@alemorcuq
Copy link
Collaborator

alemorcuq commented Jan 25, 2024

We are binding the system:authenticated group to the service-proxier role so that kubeseal can easily communicate with the controller to get the public key and encrypt your secrets. This role only has permissions to get the sealed-secrets service and to make POST and GET requests to that service.

In GKE, the use of system:authenticated is discouraged because anyone with a Google account is assigned to that group. Here's a recent KubeCon talk on this topic that mentions our use case.

While nothing sensitive is exposed to users on that group, we should document this in our GKE documention. We should also add an option in the chart to allow users to disable the creation of the service-proxier service.

@alemorcuq alemorcuq added triage Issues/PRs that need to be reviewed good first issue documentation backlog Issues/PRs that will be included in the project roadmap and removed triage Issues/PRs that need to be reviewed labels Jan 25, 2024
@keithjpaulson
Copy link

use of system:authenticated is more than discouraged; from google docs
"To help secure your clusters against mass malware attacks that exploit cluster-admin access misconfigurations, GKE clusters running version 1.28 and later won't allow you to bind the cluster-admin ClusterRole to the system:anonymous user or to the system:unauthenticated or system:authenticated groups."
I'd guess this will cause issues on GKE if the service-proxier isn't disabled, or group isn't changed?

@alemorcuq
Copy link
Collaborator Author

@keithjpaulson:

From your quote, it says that you won't be able to bind the cluster-admin ClusterRole to system:authenticated. Doing this effectively gives full admin rights to your cluster to anyone with a Google account, that's why Google is disabling it.

We are not doing that. We are binding a custom Role that only have permissions to do GET and POST requests to a specific service created by us.

@keithjpaulson
Copy link

@alemorcuq Correct, I read that part wrong -- they will just flag any use of system:authenticated as potentially insecure in console popups and emails that make administrators like me (who haven't touched sealed secrets) panic a bit. Apologies.

alemorcuq pushed a commit that referenced this issue Feb 14, 2024
**Description of the change**

Add options to the Helm chart to configure the `proxier` Role, and its
RoleBinding.

**Benefits**

This allows the user to override the default RoleBinding that grants
`system:authenticated` the `proxier` role. `system:authenticated` is not
a very safe option in a lot of clusters, so it's important to expose
this option.

**Possible drawbacks**

This was written to preserve existing behavior by default, so as to not
break compatibility. This isn't ideal as the existing behavior is
insecure on GKE (and possibly other contexts as well), but since it
doesn't directly expose anything damaging (but rather is a
defense-in-depth measure), it's probably OK to just highlight the
importance of changing this in the documentation.

**Applicable issues**
- partially addresses #1448

Signed-off-by: Alice Sawatzky <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backlog Issues/PRs that will be included in the project roadmap documentation good first issue
Projects
None yet
Development

No branches or pull requests

2 participants