wrongsecrets icon indicating copy to clipboard operation
wrongsecrets copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Sealed Secret in Kubernetes

Open drnow4u opened this issue 1 year ago • 11 comments

In the repository would be committed file containing Sealed Secret e.g.:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
  namespace: mynamespace
spec:
  encryptedData:
    foo: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq.....

Sealed Secret is asymmetrically encrypted and only the Sealed Secret Controller deployed in Kubernetes can decrypt it. Such decrypted secrets "unsealed" are stored as classic Kubernetes secret.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: mynamespace
data:
  foo: YmFy  # <- base64 encoded "bar"

@commjoen could you describe proposed on Slack attack vector?

drnow4u avatar Jun 03 '23 20:06 drnow4u

We would get into trouble if the private key is somehow compromised: either by specifying a backup key to use teh secret without the controler or by having the secret accessible due to an RBAC misconfiguration. However: i have not seen any of the 2 cases alive yet. @bendehaan : what should we do here?

commjoen avatar Jun 03 '23 20:06 commjoen

One of the challenges would still be: how can we implement this in ctf-party? should the controler live in a namespace everyone has access to?

commjoen avatar Jun 03 '23 20:06 commjoen

As agreed with @bendehaan :We can implement it for now using a controller with an exposed private key. Assigning this one to you @MarcinNowak-codes

commjoen avatar Jun 04 '23 20:06 commjoen

@bendehaan is this still something you want to pick up :) ?

commjoen avatar Oct 04 '23 03:10 commjoen

@commjoen I can't recall I was assignee earlier, shouldn't it be @drnow4u?

bendehaan avatar Oct 04 '23 17:10 bendehaan

Anyone want to pick this one up :) ?

commjoen avatar Oct 04 '23 18:10 commjoen

i want to work on this issue :-) @commjoen

Shubham-Patel07 avatar Jan 25 '24 17:01 Shubham-Patel07

@commjoen has some discussion already done on slack about this issue ?? i wanted some more details on this

Shubham-Patel07 avatar Jan 26 '24 03:01 Shubham-Patel07

Yes. Please check with @bendehaan on Slack.

commjoen avatar Jan 26 '24 04:01 commjoen

@Shubham-Patel07 can you, before taking on this issue, first fix the other 2 outstanding PRs please?

commjoen avatar Jan 26 '24 04:01 commjoen

I've fixed the outstanding issue now i wanted to give it a try !!

Shubham-Patel07 avatar Feb 13 '24 14:02 Shubham-Patel07

Missing unit tests and textual corrections. Good to know: @Shubham-Patel07 given current RBAC, we could add the hints of accessing the secret directly, meaning all can be done in the same challenge ;-)

commjoen avatar Jul 07 '24 09:07 commjoen

Updated https://github.com/OWASP/wrongsecrets/pull/1521 to have both cahllenges combined in this one.

commjoen avatar Jul 08 '24 04:07 commjoen

Done with https://github.com/OWASP/wrongsecrets/pull/1521

commjoen avatar Jul 08 '24 13:07 commjoen