Proposal for re-introducing SecretGenerators using Exec. #892
Conversation
k8s-ci-robot
added
approved
k8s-ci-robot
added
the
size/L
pwittrock
requested review from
anguslees
and removed request for
soltysh and
seans3
k8s-ci-robot
added
kind/kep
|
cc @akutz |
|
It seems like another way to achieve the goal is exec path prefix. the other kep is about ~/.config/... for the hard-coded path. e.g. ln -s /usr/bin/sops ~/.config/kustomize/sops and then --exec-path-prefix ~/.config/kustomize |
There was a problem hiding this comment.
lgtm. In particular, this is effectively a whitelist of allowed commands explicitly configured on the client-side - which addresses the concerns I had with the original SecretGenerators (remote file could specify arbitrary local commands).
It would be nice to clarify in the doc whether the commands are executed when using --dry-run or not.
| - Command is executed from the `PATH` variable, it cannot be an absolute or relative path | ||
| - This is to prevent Carl from publishing a malicious generator with the kustomization.yaml and invoking it | ||
| - Users can override the prefix with a string value with `len(value) > 2` - e.g. `sg-` | ||
| - Min length is to prevent users from providing an empty value, which would allow arbitrary command execution |
There was a problem hiding this comment.
This seems a bit nanny-state imo. If I have gone out of my way to overridde an option, then the tool should do-what-i-said (don't introduce an arms race with the user).
There was a problem hiding this comment.
@anguslees sorry to see that you aren't the author on this KEP. Feel free to write a different one - there's no limit.
@pwittrock can we leave some of the more obvious KEP opportunities to new community members?
There was a problem hiding this comment.
I am fine with removing this.
There was a problem hiding this comment.
Yeah, maybe I'll start writing KEPs for KEPs :)
There was a problem hiding this comment.
@anguslees A colleague suggested my previous comment was inappropriate, and I apologize. I meant it literally. You made some great points on #811, which strongly influenced its final form, and i hoped you or someone else who was interested in exec would contribute something along these lines.
| Re-introduce `exec` Secret generators, but require the executables to have a whitelisted prefix | ||
| and require a flag. | ||
|
|
||
| - Introduce a flag `--secret-generator-exec-prefix` defaulted to `kustomize-sg-` |
There was a problem hiding this comment.
What is a use-case where someone would vary this? (Is it ok to just always use that specific prefix?)
There was a problem hiding this comment.
I could imagine this for if they wanted to use kubectl or git plugins for instance.
There was a problem hiding this comment.
Or, in the case of using a directory containing the binaries, to disable it altogether.
Good point. Something I had considered but didn't put in the alternatives. This isn't mutually exclusive and I could add it as another flag. Then users could do
Thoughts? |
There was a problem hiding this comment.
It seems like another way to achieve the goal is exec path prefix.
Good point. Something I had considered but didn't put in the alternatives. This isn't mutually exclusive and I could add it as another flag. Then users could do
Use anything on the user's path
--secret-generator-exec-prefix="" ----exec-path-prefix=""Executables from a dir
--secret-generator-exec-prefix="" ----exec-path-prefix="~/.kube/config"Executables with a prefix
--secret-generator-exec-prefix="kustomize-sg-" ----exec-path-prefix=""Executables with a prefix that are in a dir
--secret-generator-exec-prefix="kustomize-sg-" ----exec-path-prefix="~/.kube/config"Thoughts?
its more convenient for me to have a prefix dir and call it a day, than to rename the tools to have a prefix in their exec.
e.g. I'd rather ln -s sops somewhere and just type sops when doing it interactively, than rename sops to kustomize-prefix-sops and try and remember that.
| Re-introduce `exec` Secret generators, but require the executables to have a whitelisted prefix | ||
| and require a flag. | ||
|
|
||
| - Introduce a flag `--secret-generator-exec-prefix` defaulted to `kustomize-sg-` |
There was a problem hiding this comment.
suggest also/instead --secret-generator-path.
this allows an admin to softlink the exposed tools into a directory, rather than searching the path.
simpler for the end user and more secure
e.g. I would allow this ---exec-path-prefix="~/.kube/config" concept to be a path.
then I would just 'setenv('PATH', that)' in main(). this would allow me to have >1 spot for curated plugins, w/o exposing them randomly to kubectl apply http://blah/ random bad users, and leave the rest of the code intact.
There was a problem hiding this comment.
also i think the 'with a prefix in a dir' is not needed.
IMHO simply the dir is sufficient, and would have been the solution I would have intro when this whole convo started that lead to the removal of the command. But certainly i don't have an issue w/ also having a prefix on the name.
There was a problem hiding this comment.
WDYT of the current proposal? Specifically w.r.t. the defaults chosen. e.g. we default to prefix based rather than dir based, but support both.
There was a problem hiding this comment.
Defaulting the path to an absolute path would make it simpler to produce a kustomize container with generators pre-installed. Maybe default it to (os agnostic version of) /usr/local/kustomize/bin/ ?
There was a problem hiding this comment.
TBH I'm ok w/ anything that works since its unlikely that the defaults are perfect and its not hard to set.
So sure. prefix default is ok, support path/dir optional is ok. default to /usr/local/k/bin? sure, seems fine to me too.
There was a problem hiding this comment.
SG. I'll sleep on it and finalize the defaults tomorrow. Sounds like we are good to more forward though.
|
PTAL. I believe I have addressed all comments. |
|
I think the defaults for the values is the only thing up in the air. I think we can move forward with this, and revisit the defaults as a follow up. |
|
@pwittrock It will be possible to have many different types of KV plugins in a single kustomization file. Rather than having flags for overriding each type, would it make more sense for them all to share path/filename conventions and then allow users to override with either flags or env vars? |
| - Alice wants to run a whitebox mysql instance on a test cluster | ||
| - Carl publishes a whitebox mysql `kustomization.yaml` on GitHub, with a SecretGenerator | ||
| that will read Alice's ~/.kube/config and send it to Carl's server by executing `sh` | ||
| will a script to generate some Secret |
There was a problem hiding this comment.
nit: sentence is incorrect I suspect
There was a problem hiding this comment.
I think this proposal is better than the previous one.
My main goal is:
- In an organization where bases are shared across teams, I don't want to have to standardize a convention for the prefix name, which made the prefix option hard to manage
- I don't want to have to copy scripts to a specific location every time I run kustomize
- Ideally, I think I'd want the scripts to be committed next to my
kustomization.yamlfile - I want to be able to declarative whitelist the scripts that I've vetted
At least with this solution, I see we could do:
- When I update my bases, I copy (possibly rename to have a common prefix) and inspect all these bases scripts into my top-level dir and commit them
- Code reviews help catch problematic constructs
- I always run kustomize with
--sg-exec-path=. --sg-prefix-path=vetted-
Hope this makes sense,
| - (default) the empty string - disable exec secrets altogether | ||
| - `$PATH` - any executable in the user's path matching the prefix | ||
| - an absolute directory path - only executables matching the prefix in that directory | ||
| - a relative directory - only executables matching the prefix in that directory |
There was a problem hiding this comment.
I'm assuming it's relative to the kustomization.yaml file that was command-line specified, and by "in that directory" you're saying "that doesn't contain ..". Does it follow symlinks outside "that directory"?
There was a problem hiding this comment.
changed this. lmk what you think
|
IIUC, I agree with your assessment. Users have enough flexibility w.r.t. how they provide plugins to be able to things that might work really well for their environment / organization, but wouldn't be appropriate for all organizations or as defaults. |
pwittrock
force-pushed
the
secret-gen
branch
2 times, most recently
from
de26f3e to
2338bda
Compare
|
@anguslees @donbowman @apelisse @sethpollack @monopole PTAL. Refined the UX and updated the defaults based on the feedback from y'all. Notable changes:
Also added some items as possible features for GA. |
|
PTAL |
pwittrock
force-pushed
the
secret-gen
branch
10 times, most recently
from
68fc805 to
8e3a5ef
Compare
|
lgtm |
|
|
||
| ```sh | ||
| # User enables the plugin and allows it to exec sh | ||
| $ kubectl apply -k https://github.com/chuck/maliciousapp --enable-plugins --plugin-path=/bin |
There was a problem hiding this comment.
Hmm... my only concert is that this will confuse users, when he reads --enable-plugins the first thing he might think of is kubectl plugins, but that's not the case here.
There was a problem hiding this comment.
The plugin is enabled by installing it.
| or another location she provided with `--plugin-path=<path-including-exploitable-binary>` | ||
| - The specified SecretGenerator must be exploitable | ||
| - Simple transformation functions would not be exploitable. | ||
| - e.g. A command like `cat` would not be possible for Chuck to exploit in a meaningful way. |
There was a problem hiding this comment.
Additional risk is that --enable-plugins is specified as part of alias, thus invoking kustomize will always have that enabled.
There was a problem hiding this comment.
These flags will be aliased or encoded in scripts. The true opt-in point is installing the plugin. If a bad actor can install the plugin, none of these flags help.
The real issue here is the assumption that someone is blindly obtaining instructions from the web and blindly using them when applying to their cluster.
In this spirit of helping people to avoid hurting themselves, one could help here by failing on any attempt to obtain a kustomization target from the web unless the user specified
--enable_download_of_unverified_instructions_from_the_internet
or some such. But people can already curl | apply so...
Someone who's blindly installing resources found on the web to their cluster is putting their cluster at risk. I understand that local exec is a new twist here, but arguably that's only a threat to the system which is running kustomize, and the user has already opted in by installing the plugin.
There was a problem hiding this comment.
This only addresses malicious plugins, not exploitable plugins. They are 2 different things.
|
|
||
| #### Enable Plugins with Environment Variables | ||
|
|
||
| Allow users to specify `export KUSTOMIZE_ENABLE_PLUGINS=true` instead of providing the flag. |
There was a problem hiding this comment.
Although it's convenient, env vars usually hide stuff. For this particular usecase I'd prefer we do not have env var. Although the alias problem (see my other comment) is still a thing.
There was a problem hiding this comment.
The env var acknowledges that the flag is merely a source of annoyance.
|
I think I agree with @monopole that most of this is unnecessary. Having the plugins prefixed with |
|
i like plugins as an extension point, but don't think this proposal establishes that these extra flags solve a problem that isn't already solved. The plugins are here: This allows them to be installed and virtually relocated with whatever security your local filesystem has. The convention here is that followed by chrome, gcloud, etc. The path makes it unambiguous that these are kustomize plugins. It's already implemented for goplugins - exec plugins can be added trivially. |
Why is kustomize- prefix better than a dir? At least 1 user has expressed they prefer the dir approach. |
can we please not make the mistake kubectl did and require a prefix of If you want a prefix for some reason, please don't make it the same as the base command :) -- signed a sad bash completion fan |
|
Just speaking as an interested user here. Either approach is acceptable to me, but I don't see a compelling reason to deviate from the path that I'm looking at KEP 24 and it notes that "[forcing] plugin scripts and executables to exist in a pre-determined location" was undesirable but doesn't explain why. Anyone know the story there? |
Either way would work, as long as you don't have to explicitely specify that path everytime. If we have a default path, it should probably be something simple enough that I don't have to create a specific hierarchy to satisfy the tool (If I want to configure |
Prefix vs PathNo argument has been given to justify one of these as strictly better than the other. They have slightly different UX each of which appeals to different users. Everyone has their own opinion without a lot of data beside personal preference (including myself). We need to choose:
Explicit flag to enableOrganizations are likely to provide their own kustomize distributions with their own plugins. IMHO, It is more likely that the distributed plugins will be Exploitable (e.g. The big points are:
What is the worst case scenario with requiring the flag? |
|
Have we also considered an exec-less implementation? kustomize build --external-secret-generator | my-custom-secret-fetcher > secrets.yaml
kustomize edit add resource secrets.yaml
kustomize build | kubectl apply -f -Edit: Also, lmk if it'd be more appropriate to propose that ^ elsewhere. Like if this discussion is "how to" exec plugins rather than "should we", that's totally fair. |
I'm trying to achieve a |
|
withdrawn, lets go. |
|
Phil has already merged https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/20190318-kustomize-generators-transformers.md, which arguably includes secret generation via plugin as a subset, so we can accept this or just drop it /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: monopole, pwittrock The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Follow up to #811