-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Need ability to add to known_hosts #724
Comments
Why don't we want to turn host key verification off? What are the specific attack vectors we're worried about? How is using an init container any more secure? It just means that you weren't MITM'd at the beginning, rather than later I guess. At least in Kubernetes, I suspect GitLab's key will probably change if it's upgraded or re-deployed, so you'd need a way to refresh it. Giving fluxd an argument for this (and threading it through the launch generator etc): Is the hit to usability worth the extra security? Flux is already hard enough to configure (and we've gone to great lengths to make it easier, with some success; this seems like a step backwards; I know – security and convenience are often in tension). Couldn't we make the more-secure option an optional default instead for folks concerned about the attack vectors above? |
From discussion with Ilya: probably what we need to do here is expose the "do you want to trust this host?" experience somehow through the Flux CLI and GUI. |
Also, current approach suffers from an inability to handle the scenario where either of the hosts (whose keys we trust at build time) re-issue their keys. |
I suppose it'd make sense to consider bubbling this question to the UI (that's like what OpenSSH client does). May be we could ask the user at the time they set the repo URL. Just an idea. In the meantime, I'd suggest that perhaps we could trust hosts that are inside of the cluster, i.e. |
Relevant answer: https://security.stackexchange.com/questions/39990/is-it-safe-to-disable-ssh-host-key-checking-if-key-based-authentication-is-used/40002#40002 I guess the bad thing that could happen is that Flux connects to an attacking server, and the attacking server tells it what software to run in its production cluster (perhaps referring to the attacker's own docker images hosted on a public registry). That would be bad. |
I think optionally trusting (as in, turning off |
A workaround, until we figure out a general solution, is for people to mount a $ ssh-keyscan github.com > known_hosts
$ kubectl -n kube-system create configmap flux-known-hosts --from-file=./known_hosts then adapt the flux daemon manifest to mount it into the expected place: ---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: flux
namespace: kube-system
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
name: flux
spec:
serviceAccount: flux
volumes:
- name: git-key
secret:
secretName: flux-git-deploy
# vvv Additional volume
- name: known-hosts
configMap: flux-known-hosts
# ^^^
containers:
- name: fluxd
image: quay.io/weaveworks/flux
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3030
volumeMounts:
- name: git-key
mountPath: /etc/fluxd/ssh
# vvv Additional volume mount
- name: known-hosts
mountPath: /root/.ssh/known_hosts
subPath: known_hosts
# ^^^
args:
- [email protected]:squaremo/flux-example
- --git-set-author (EDITED: changed the mount path to reflect the actual home directory) (UPDATED: use a |
@squaremo I tried this solution (mounting I notice that there's a |
On a potentially unrelated note, when I do mount at
I'm trying to use GCR as the registry, could that be related? |
Oh of course!
Sorry that's my fault -- the example yamel I gave above omits a bunch of arguments that aren't necessary for an image built from master, but are required for the release images (i.e., 1.1.0). If you just grab the two extra bits and put them in your non-CrashLooping config I think it'll go better. I'm going to do a release of a new image pretty soon -- lots of stuff works much better now :)
That should be OK, or at least not be an immediate problem. We have done a bit of rewriting, recently, to work with GCR better since it dropped support for older Docker image manifests. It'll be in the new release. |
When trying to change the mount to This is the new deployment.yaml and the additional ConfigMap I'm deploying:
|
Version 1.2.0 is released now. If you bump the flux image version to 1.2.0, I think that manifest will work.
|
Version 1.2.0 worked for me. Thanks for the help! 👍 |
#851 removed the need for a lot of the command-line arguments (so omitting them didn't lead to crashloops); the other bit was mounting the SSH If the git syncing is now working for you, I can add it to our documentation -- great! |
Another approach (which could be automatable, even) would be to add the host key in an Yet another approach: do an explicit SSH connection check when starting up, and report the failure as part of the git status, so it has a chance of being remedied. |
FWIW I also ran into this issue and worked around it by creating my own flux docker image. Now that I've read through this issue a better solution would definitely be to mount in my own |
Using a config-map for known-hosts in the form above did not work since it specifies a volume mountPath of /root/.ssh/, thereby masking the default /root/.ssh/config included in the image. flux would fail to connect to the git server with the following error:
Modifying the config-map to include the contents of the ssh config allows flux 1.2.3 to work correctly.
|
@squaremo your new subpath volumeMounts spec has a small mistake. Replace this:
with this:
|
We now bake a known_hosts into the image at /etc/ssh/ssh_known_hosts, and config at /etc/ssh/ssh_config, so it is safe to mount both of those into /root/.ssh/ from a configmap. How to do so is documented in https://github.com/weaveworks/flux/blob/master/site/standalone-setup.md#using-a-private-git-host and and demonstrated in the example deployment https://github.com/weaveworks/flux/blob/master/deploy/flux-deployment.yaml. (EDIT: revised URL to doc) |
The url for the documentation for the private git host has changed: |
I have an issue where it seems like the flux deployment is recreating the pod every so often and loses the ssh known_host config. Had anyone else experienced this? Whats the best way to update the flux deployment if it's already deployed. I just outputting it to yaml then ran 'kubectl apply-f' |
When using e.g., a private gitlab repo, flux will balk at cloning the repo because the host has an unknown identity (i.e., it's not in
~/.ssh/known_hosts
).Currently we prepopulate
~/.ssh/known_hosts
with keys for github, gitlab (public), and bitbucket, using ssh-keyscan, when building the flux image.A few notes/ideas:
The text was updated successfully, but these errors were encountered: