fedora-coreos-docs icon indicating copy to clipboard operation
fedora-coreos-docs copied to clipboard

Published 20 hours ago verified publisher icon coreos

Strongly suggest removing access to Ignition config / metadata after first boot

Open travier opened this issue 4 years ago • 10 comments

On GCP at least, any local process can query metadata.google.internal and get the Ignition config used to provision the instance:

$ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/user-data" -H "Metadata-Flavor: Google"
...

See https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata

We should probably add instructions to remove that metadata once the system has booted (https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata).

I don't know yet if that's a concern for other cloud providers.

travier avatar Jun 30 '21 17:06 travier

It's a concern on any provider. I didn't know there was a way to remove userdata; that's neat.

See also #272 for the firewalling approach to this problem.

bgilbert avatar Jun 30 '21 17:06 bgilbert

The OpenShift SDN layer denies all link-local access from the pod network. See also https://github.com/4ARMED/kubeletmein

Note that some privileged containers in the ecosystem rely on accessing the metadata server, so a host-level firewall can break those.

cgwalters avatar Jun 30 '21 17:06 cgwalters

@travier - where do we stand on this? need more discussion or someone to execute?

dustymabe avatar Sep 23 '21 15:09 dustymabe

We need to add a warning and steps in the doc for the different platforms where this is possible.

travier avatar Sep 24 '21 10:09 travier

Or instructions for #272 where doing this at the platform level is not possible.

travier avatar Sep 24 '21 10:09 travier

Taking this one but feel free to comment here if you'd like to do it as I won't be able to get to it soon and might be good first issue for someone with access to a lot of platforms for testing.

travier avatar Sep 24 '21 10:09 travier

I wouldn't necessarily try to tackle every provider which supports this in one card. Maybe we can make this one about GCP, and have separate cards for others? That way it can be divided up more easily.

jlebon avatar Sep 24 '21 14:09 jlebon

Agree, keeping this one for global tracking of this issue and creating a card for each platform will be best.

travier avatar Sep 27 '21 11:09 travier

I'm still planning to work on this issue but as I don't have a timeline, I don't want to give a misleading impression that this is in progress thus I'm removing myself from assignee. Feel free to take this or I'll re-assign myself to it when I start working on it.

travier avatar Oct 27 '21 11:10 travier

Some upstream docs in https://github.com/coreos/ignition/pull/1365.

bgilbert avatar May 12 '22 04:05 bgilbert