-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider deleting userdata from provider after Ignition completes #1315
Comments
Torn on whether we should do this by default or make it opt-in too. The fact that it's also only possible on some platforms is a concern. Maybe cleanest is a |
I don't like the idea of making a security feature opt-in, even if we can't support it everywhere. But also, as a practical matter, Butane and Ignition configs aren't inherently platform-specific. (CT generated Ignition configs that were, and it always felt awkward.) For any deployments that use the same config on dev and prod platforms with different support for this option, we'd be forcing them to either maintain separate configs or accept the lower-security option in both places. I'm leaning toward deleting configs by default, maybe even without an override. I can construct hypothetical cases where someone might need the config left in place, but none of them feel particularly natural. We can always go back and add an override if it turns out someone needs it. (Alternative: we could have a tri-state, keep/delete/try-delete, defaulting to try-delete.) |
I agree, though my concern is that latter part of that sentence. We could log a warning as you suggested, though that'd be easy to miss and wouldn't be accurate because the user might've taken appropriate measures already and we have no good way to detect that.
True, but whether your config holds secrets is config-specific. :)
Hmm, yeah that could work. For platforms in which we can only firewall, maybe we could for FCOS/RHCOS have Butane sugar to make that easier. E.g. have it create a stamp file and then add a systemd generator to https://github.com/coreos/fedora-coreos-config which sets up the rules for the specific platform we're on? |
As openshift/enhancements#443 notes, the OpenShift SDN currently blocks link-local addresses which is the main mitigation against this from an OCP perspective. However, note that there definitely exist containers which expect to be able to retrieve user data; those containers today can join the host network namespace to skip the SDN firewalling. If the firewalling is at the host level they'd have to go through further hoops to e.g. remove the iptables rules inside their own netns. I found kubernetes-sigs/cluster-api-provider-aws#1875 in my web history which is related too. |
@jlebon and I discussed this more OOB. Some (reconstructed) notes:
|
Really? Why? |
I think in some cases e.g. kubelet uses this to determine which availability zone it's in. It's not about accessing the user data, but more about instance metadata in general; an IP-level firewall can't block one but not the other. There's definitely also 3rd party containers which read instance metadata. I hesitate to say it, but the real solution may need to be something like a transparent proxy which knows about each cloud and filters out just the user data to start. i.e. we use iptables to redirect requests to the proxy process. |
(My initial comment mentioned "user data" when I definitely meant "instance metadata") |
With #1351 the situation for Azure changed when IMDS is used which will stay available for all clients on the instance (but the docs call out that secrets shouldn't be placed there). |
Thanks, updated the description. |
Feature Request
Environment
At least VirtualBox, VMware
Desired Feature
Some platforms allow modifying or removing userdata using APIs accessible from the VM instance. On those platforms, consider deleting the Ignition config from the platform after Ignition completes.
Other Information
Ignition configs may contain sensitive information that should not be accessible from workloads running on the machine. We currently do nothing to help users with sensitive userdata, and there is no documentation about the issue (coreos/fedora-coreos-docs#306). On platforms with network metadata services, the user can write an Ignition config that firewalls off the metadata service (not documented in Fedora CoreOS: coreos/fedora-coreos-docs#247). On platforms with in-hypervisor metadata accessible by non-root users (at least VMware), firewalling isn't an option, and the user must delete the metadata themselves.
Various minimalistic fixes are possible. We could publish docs on adding a systemd service that disables userdata access. If an external tool is necessary, we could ship it or recommend adding it to the OS. Or we could recommend that OSes check the platform ID and disable userdata access themselves.
However, we generally try to keep Ignition secure by default. I think it would make sense to delete userdata automatically wherever we have an API to do so. This is most important for platforms that can't be remediated by firewalling, but is still a worthwhile improvement on the others. On platforms where we can't delete userdata, we could log a warning recommending that users firewall or otherwise mitigate their risk.
In principle this would be a compatibility break, since it's possible for other software in the instance (or on a VM host) to intentionally access userdata. (That would be hacky, since the userdata must be formatted as an Ignition config for Ignition to care about it, but it's conceivable.) If we're concerned about this, we could add an Ignition config field (
ignition.config.delete
?) configuring whether Ignition performs the deletion. I think the default should certainly betrue
after the next major spec bump, but the short-term default is less clear, especially for old specs that don't have the field.We'd need to delete userdata after Ignition completes, not after fetch succeeds. There are two reasons: kargs changes may reboot the machine and refetch userdata, and a failed Ignition run may be retried by the OS (since Ignition is mostly idempotent).
Platform notes
AWS
Network metadata service. Userdata can be changed with the
ModifyInstanceAttribute
control plane request, but there's no instance-side API. Control plane access is probably out of scope for us.Azure
On FCOS and RHCOS, Azure "custom data" access is already disabled at runtime, outside Ignition's control. Azure doesn't allow full access to a VM until it "checks in" to report that it has provisioned successfully, and this checkin causes Azure to disable access to the config drive. Checkin is handled by Afterburn, which runs in the initramfs on RHCOS (to avoid long delays for console access) and in the real root on FCOS (for eventual integration with automatic rollback: coreos/fedora-coreos-tracker#47). It may or may not make sense to move this into Ignition.
The new Azure IMDS userdata mechanism (#1351) does not act this way. The instance can access userdata even after checkin, and there's no instance-side API to disable it.
DigitalOcean
Network metadata service does not appear to support changing userdata.
GCP
Network metadata service does not appear to support changing regular metadata attributes via the metadata service. Guest attributes can be changed from the guest, but the
user-data
attribute is not one of those. Some additional discussion in coreos/fedora-coreos-docs#306.Packet
Network metadata service does not appear to support changing userdata.
qemu
fw_cfg userdata is only accessible by root. Write support was removed in qemu/qemu@023e314.
We also support config drives on non-x86_64.
VirtualBox
Guest properties can be modified from inside the guest. They're documented as being accessible only to root, but it still seems useful to remove userdata.
VMware
Userdata is accessible by non-root users. It can be stored directly in guestinfo or in an XML document in guestinfo, and we'd have to handle both cases. See #1300.
The text was updated successfully, but these errors were encountered: