apisix-ingress-controller icon indicating copy to clipboard operation
apisix-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon apache

feat: Is it possible to make the ingress controller work without allowing read access to all secrets in the cluster?

Open javsalgar opened this issue 1 year ago • 4 comments

Description

Currently, the RBAC ClusterRole grants read access to all secrets in the cluster. If the application gets compromised, this could be a critical security issue. Is it possible to limit the namespaces where the controller can access and set Role/Rolebindings for secrets instead?

javsalgar avatar Jan 17 '24 10:01 javsalgar

@javsalgar Though the controller has read access to the secret. It does not react to it's events until the secret is part of the namespaces being watched. You can control which namespaces should be watched by adding namespace selector[1](helm chart) and then only the namespaces with that label will be watched.

Screenshot 2024-01-19 at 11 13 52 AM

https://github.com/apache/apisix-ingress-controller/blob/96510b68462e1a94370ed1d537beb24f2c16e234/cmd/ingress/ingress.go#L178

Revolyssup avatar Jan 19 '24 05:01 Revolyssup

But this is still trusting the ingress controller. If you want security at K8s level, maybe you can propose adding an optional helm parameter that allows for giving access to Secrets via per-namespace Role and RoleBinding instead of ClusterRoleBinding and ClusterRole

Revolyssup avatar Jan 19 '24 05:01 Revolyssup

@javsalgar hi, does this resoulve your problem now?

Vacant2333 avatar Jan 24 '24 14:01 Vacant2333

This issue has been marked as stale due to 90 days of inactivity. It will be closed in 30 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Apr 24 '24 01:04 github-actions[bot]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.

github-actions[bot] avatar May 24 '24 01:05 github-actions[bot]

Hi @Revolyssup, i tried your recommandation here: https://github.com/apache/apisix-ingress-controller/issues/2138#issuecomment-1899808129

Yet, when we do Secrets via per-namespace Role and RoleBinding instead of ClusterRoleBinding and ClusterRole we have an error:

E0719 17:49:20.123223       1 reflector.go:147] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:apisix-ingress-dev:apisix-view-serviceaccount" cannot list resource "secrets" in API group "" at the cluster scope

Note that we have the same error for a a lot of rule not only for secrets (configmap, etc) if we try to get it work with a rolebinding.

Is it possible to reopen this issue and make it work with rolebinding?

4FunAndProfit avatar Jul 19 '24 09:07 4FunAndProfit