aws-load-balancer-controller
aws-load-balancer-controller copied to clipboard
kubernetes-sigs
Support reading Headers values from Secrets
Is your feature request related to a problem? We need to configure rule conditions based on specific Header values. However, these values can contain sensitive data so we don't want them to end up visible in plain text in the Ingress annotations. Example:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: any-namespace
name: any-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/conditions.sensible-headers: >
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "AnySensibleHeader", "values":["AnySensibleValue"]}}]
Describe the solution you'd like Add support to reading header values from kubernetes Secrets as it's done to configure the clientID and clientSecret when using OIDC authentication.
alb.ingress.kubernetes.io/conditions.sensible-headers: >
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "AnySensibleHeader", "values":["secret://any-secret/any-key"]}}]
Describe alternatives you've considered Load Header values from AWS Services like ParameterStore or SecretsManager
@ivanfoo Thank you for raising this. But I have a question about it. even if we implement this, you will still be able to see these header values from console/cli. Also, if you are concerned abut the sensitive data in ingress annotation, you could try restricting the ingress access by defining the RBAC values.
@shraddhabang you are right about the values being visible when using the console or CLI. However, my concern is more about how exposed these annotations are.
It's way easier to restrict access to ALB details on AWS with IAM than restricting access to Ingresses resources that contain sensitive data as annotations, as there is not a way to deny access to resources by labels or a similar approach.
Also, these annotations could be easily leaked everywhere: ArgoCD dashboard, cluster backups, alert messages, monitoring tooling...
I'm not saying the solution is perfect, but at least it does not increase the exposed surface...
What do you think? Any chance of consuming headers values from secrets? Also, do you know if native support for sensitive Headers is coming anytime on the ALB side?
Thanks!
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
