onyxia icon indicating copy to clipboard operation
onyxia copied to clipboard

Published 20 hours ago • verified publisher icon InseeFrLab

Enhance security of vault injection

Open alexisdondon opened this issue 1 year ago • 0 comments

From nowaday design of onyxia, a personal vault token is injected in interactive services.

From the ui perspective, vault oidc configuration is quite good as a user can edit vault secrets per project/user space safely under his user identity.

But from kubernetes perspective the injection of the personal vault token in an interactive service is quite a problem for two reasons:

  • In user and group namespace, vault token could have a duration time and a user_count to mitigate its usage and leak, but the shorter is its usage the higher is the probablity to have a pod restart by kubernetes with an unfonctionnal injection due to the revokation of the token.(balance between security and resiliation)

  • From group perspective, the vault token could leak quite easily within members allowing then some members of the group to illegal access of secrets as vault token is not scoped to kv path of the space.

I have two suggestions :

  • first one straight forward, as vault injection only allow to init some secrets in environment variable today, should the ui never inject vault personal token but read the secrets selectionned by the user and inject the content of the path in the HTTP PUT request as env variables:
    • from this point of view it's not worst as onyxia today do for sensitive information.
    • the problem is solved as no vault token is injected in the pods and the pod are resilient to restart with no duration limit.
    • the ui only inject var env scoped by user/project space.

To do that:

  • the ui should change its mechanism, reading the secrets specified by the user in the vault part.

  • the helm chart service interactifs /OnyxiaValues should allow a new env: list of key map of values to inject as environement variable in the helm charts.

  • another suggestion is to dig into the auth kubernetes vault mechanism and look for templated policies that allow service account of a namespace to access and inject only the kv path of the project.

    • here a proof of concept of this configuration should be done
    • the helm chart should include then vault annotation and vault injector.

alexisdondon avatar Sep 07 '23 03:09 alexisdondon