feat: automatically remove user registry secrets #435
Conversation
|
I believe you need to also check the username of the pod explicitly - checking the server name is not enough. See GHSA-v7m9-9497-p9gr - you can create user names that will map to the same escaped version of the name. Come to think of it, all of the secret handling probably needs to be rethought a bit - adding annotations would probably be the way to go. |
There was a problem hiding this comment.
Thanks @olevski for this nicely done and well documented PR and particularly for test-covering the added functionality right away!
I think the biggest change necessary is related to how we map a secret to a pod (see comment below). Particularly, there's a difference between the k8s pod name and the JH server name that I didn't really point out (sorry about that). While the k8s pod name IS unique and includes both username, repo name and commit, different users can have servers with the same servername, even after fixing the CVE that @rokroskar has pointed out. For example check out https://<renku-domain>/jupyterhub/hub/home for a list of the servernames of your running servers. My initial thought was to add the pod name directly as annotation to the secret, but the secret is created in the notebooks-service while the pod name is generated in the spawner, so we'd either have to duplicate the logic which generates the pod name or - what I have described in the comment - rely custom renku.io annotations (or labels!) for matching secrets and pods.
|
@ableuler , @rokroskar I addressed all the comments. Also I deployed the latest from this branch to my namespace and tested the cases when:
|
|
One last thing and you might leave this to another PR, which would be fine imo, but we should have some way of controlling, through the values file, a) the cron setup and b) the max secret age |
No problem I can add this to this PR @rokroskar. |
Closes #333
A few things to note:
The scripts that are used by the cronjob can be moved to a fully independent docker image. I decided to not do this just because it was easier to piggy-back on the notebooks docker image.This is now an independent image.UseIt was decided to use the following pattern{servername}-registryto name user registry secrets (servernameis escaped to prevent underscores from the project name causing issues.){safeusername}-registry-{uuid4()}.(.+)-registry$.+-registry-[a-z0-9-]{36}$and has the labelcomponent=singleuser-server,with the capture group indicating theservernamefor the user server.secret.type == "kubernetes.io/dockerconfigjson"and for the presence of the labels["renku.io/commit-sha", "renku.io/projectName", "renku.io/username"]which are used to then identify the pod that used the secret.a) Check to see if the pod that used the secret is still around, if so and if the pod's status is running or completed, then delete the secret
b) If the pod that used the secret cannot be found (based on the
servernamelabels) then delete the secret only if the age of the secret is older than the designated thresholdThis is currently in place at https://tasko.dev.renku.ch/. Tested with a public and private projects.