search

crossplane-contrib / provider-kubernetes

Crossplane provider to provision and manage Kubernetes objects on (remote) Kubernetes clusters.
Apache License 2.0
140 stars 82 forks source link

Enable Secret References to hide sensitive data #223

Open stevendborrelli opened 5 months ago

stevendborrelli commented 5 months ago

What problem are you facing?

Management of K8s secrets leaks data in the Object that creates the Secret.

Kubernetes apply will publish the secret data in the annotation (see wontfix https://github.com/kubernetes/kubernetes/issues/29923). This makes sense on the Secret itself, however provider-kubernetes includes the secret data in the Object annotations and in spec.forProvider.manifest

PR https://github.com/crossplane-contrib/provider-kubernetes/pull/193 addressed this in the object's status, but we are still leaking data in the managed Object.

For example, creating the following secret using a patch from another Secret will leak the data in spec.forProvider.manifest:

---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: secretpatch
spec:
  references:
  # Use patchesFrom to patch field from other k8s resource to this object
  - patchesFrom:
      apiVersion: v1
      kind: Secret
      name: secretpatch
      namespace: crossplane-system
      fieldPath: data.sensitive
    toFieldPath: data.key-from-secret
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        namespace: default
      data: {}
  providerConfigRef:
    name: kubernetes-provider
---
apiVersion: v1
kind: Secret
metadata:
  name: secretpatch
  namespace: crossplane-system
type: Opaque
data:
  sensitive: cGFzc3dvcmQ=
#  kubectl get object.kubernetes.crossplane.io/secretpatch   -o yaml
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  annotations:
    crossplane.io/external-create-pending: "2024-04-16T15:03:32Z"
    crossplane.io/external-create-succeeded: "2024-04-16T15:03:32Z"
    crossplane.io/external-name: secretpatch
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kubernetes.crossplane.io/v1alpha2","kind":"Object","metadata":{"annotations":{},"name":"secretpatch"},"spec":{"forProvider":{"manifest":{"apiVersion":"v1","data":{},"kind":"Secret","metadata":{"namespace":"default"}}},"providerConfigRef":{"name":"kubernetes-provider"},"references":[{"patchesFrom":{"apiVersion":"v1","fieldPath":"data.sensitive","kind":"Secret","name":"secretpatch","namespace":"crossplane-system"},"toFieldPath":"data.key-from-secret"}]}}
  creationTimestamp: "2024-04-16T15:03:32Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 3
  name: secretpatch
  resourceVersion: "361526"
  uid: 97cc668a-16ce-46a0-926c-8b0dbb79865c
spec:
  deletionPolicy: Delete
  forProvider:
    manifest:
      apiVersion: v1
      data:
        key-from-secret: cGFzc3dvcmQ=
      kind: Secret
      metadata:
        namespace: default
  managementPolicies:
  - '*'
  providerConfigRef:
    name: kubernetes-provider
  readiness:
    policy: SuccessfulCreate
  references:
  - patchesFrom:
      apiVersion: v1
      fieldPath: data.sensitive
      kind: Secret
      name: secretpatch
      namespace: crossplane-system
    toFieldPath: data.key-from-secret
status:
  atProvider:
    manifest:
      apiVersion: v1
      data:
        redacted: null
      kind: Secret
      metadata:
        annotations:
          kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","data":{"key-from-secret":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"namespace":"default"}}'
        creationTimestamp: "2024-04-16T15:03:32Z"
        managedFields:
        - apiVersion: v1
          fieldsType: FieldsV1
          fieldsV1:
            f:data:
              .: {}
              f:key-from-secret: {}
            f:metadata:
              f:annotations:
                .: {}
                f:kubectl.kubernetes.io/last-applied-configuration: {}
            f:type: {}
          manager: crossplane-kubernetes-provider
          operation: Update
          time: "2024-04-16T15:03:32Z"
        name: secretpatch
        namespace: default
        resourceVersion: "361522"
        uid: 49f2fad2-6670-4b0a-bfee-5be53faeeb1a
      type: Opaque
  conditions:
  - lastTransitionTime: "2024-04-16T15:03:32Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-04-16T15:03:32Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced

How could Crossplane help solve your problem?

I'm not sure what the proper solution is, some ideas I had: