traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon traefik

Restrict access to secrets in K8S cluster

Open jnonino opened this issue 1 year ago • 6 comments

Welcome!

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

Currently RBAC permissions created for Traefik gives access to all secrets with no restrictions. As defined in rbac/clusterrole.yaml#L31 and rbac/role.yaml#L21.

  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch

That generates security concerns as Traefik should not need access to every secret in the cluster. The idea should be to have a parametrized field in the secrets permissions to use resourceNames and give Traefik access only to the secrets it might require to work.

jnonino avatar Feb 20 '24 10:02 jnonino

Hello @jnonino,

That's right. It can be improved on this point. Thanks for this issue.

mloiseleur avatar Feb 20 '24 10:02 mloiseleur

Cool, I'll work on a pull request for it!

jnonino avatar Feb 20 '24 10:02 jnonino

:warning: Don't forget that TLS certificates can be stored in Secrets, for instance when using cert-manager.

mloiseleur avatar Feb 20 '24 10:02 mloiseleur

Sure, we are actually using it that way!

jnonino avatar Feb 20 '24 10:02 jnonino

New PR opened: https://github.com/traefik/traefik-helm-chart/pull/1009

jnonino avatar Feb 21 '24 16:02 jnonino

For more context, tools like Wiz found issues with the Traefik container.

image image

Restrictions on secret access will help to reduce the risk of issues with sensitive information.

jnonino avatar Feb 21 '24 17:02 jnonino

Fixed with

  • #1009

mloiseleur avatar Apr 03 '24 12:04 mloiseleur