Skip to content

Commit

Permalink
Set the operator up with enforced secrets
Browse files Browse the repository at this point in the history
To prevent arbitrary secret access using compromised SAs, the SAs
created by Submariner are now configured to enforce mountable secrets.
This requires that accessible secrets be listed explicitly in the SA.
To make this simple, use a static name for the broker secret. To allow
secrets to be configured, leave them alone when creating or updating
the SAs.

Signed-off-by: Stephen Kitt <[email protected]>
  • Loading branch information
skitt authored and tpantelis committed Jul 9, 2024
1 parent c5cc7ff commit 9ecfa12
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 9 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ require (
github.com/submariner-io/lighthouse v0.17.2
github.com/submariner-io/shipyard v0.17.2
github.com/submariner-io/submariner v0.17.2
github.com/submariner-io/submariner-operator v0.17.2
github.com/submariner-io/submariner-operator v0.17.3-0.20240709140014-b957cc9ca3c3
github.com/uw-labs/lichen v0.1.7
golang.org/x/net v0.23.0
golang.org/x/oauth2 v0.16.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -536,8 +536,8 @@ github.com/submariner-io/shipyard v0.17.2 h1:+ev89enbv98uP6BgrIRyVoyXYqOD/+9o49E
github.com/submariner-io/shipyard v0.17.2/go.mod h1:Mrp0LPXBXYpbjMwhqq89G86Xgjz+U4vZM9Qg+F1ZBQw=
github.com/submariner-io/submariner v0.17.2 h1:6kyT5cJk+4+PzBxcsCbd5sFtkdxE34j/uHMaQCKqUtA=
github.com/submariner-io/submariner v0.17.2/go.mod h1:zbM5q83U7gkuty+fTJm7Dj1/lzfR4bBgKwQIPn0bY88=
github.com/submariner-io/submariner-operator v0.17.2 h1:7bG8swDCQBmL6bkxZK9GtR7qvGfC76/1wZgO7SNtIxU=
github.com/submariner-io/submariner-operator v0.17.2/go.mod h1:PoSGGrq810UdJwNmQC5LswOZ82zR7nMvoTOF5ZzZZqg=
github.com/submariner-io/submariner-operator v0.17.3-0.20240709140014-b957cc9ca3c3 h1:zeC3KgkAEst9vR6ng+VlEiHoqxq9fzMoKaKwL/ApNrE=
github.com/submariner-io/submariner-operator v0.17.3-0.20240709140014-b957cc9ca3c3/go.mod h1:PoSGGrq810UdJwNmQC5LswOZ82zR7nMvoTOF5ZzZZqg=
github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
Expand Down
2 changes: 1 addition & 1 deletion pkg/join/join.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ func populateBrokerSecret(brokerInfo *broker.Info) *v1.Secret {
// We need to copy the broker token secret as an opaque secret to store it in the connecting cluster
return &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "broker-secret-",
Name: "submariner-broker-secret",
},
Type: v1.SecretTypeOpaque,
Data: brokerInfo.ClientToken.Data,
Expand Down
6 changes: 1 addition & 5 deletions pkg/serviceaccount/ensure.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,7 @@ const (
)

func ensure(ctx context.Context, kubeClient kubernetes.Interface, namespace string, sa *corev1.ServiceAccount) (bool, error) {
result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa,
func(existing *corev1.ServiceAccount) (*corev1.ServiceAccount, error) {
existing.Secrets = nil
return existing, nil
})
result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa, util.Replace(sa))

return result == util.OperationResultCreated, errors.Wrapf(err, "error creating or updating ServiceAccount %q", sa.Name)
}
Expand Down

0 comments on commit 9ecfa12

Please sign in to comment.