directionless
commented
5 years ago If we did something host-specific, I would be inclined towards mutual TLS
Open robusto opened 5 years ago
directionless
commented
5 years ago If we did something host-specific, I would be inclined towards mutual TLS
zwass
commented
5 years ago Thanks for the thoughtful feature request!
I think that we can work towards supporting multiple enrollment secrets. The trickier part is going to be creating labels based on these secrets. We don't currently have any support for "manually" created labels, though this is a feature that has been requested (https://github.com/kolide/fleet/issues/1967). If we extend the data model for labels to support manual labels, it will become much easier to add the auto labeling support you are looking for.
With all of that said, how would you rate the utility of multiple enrollment secrets without the labeling feature? If that is still high, we can look to implement this before we have the manual labels support. Otherwise we would likely hold off until manual labels are supported.
Problem Currently, a single Fleet instance has a single enrollment secret. Unfortunately, once this secret ends up on a single host it is not really that secret. Conceivably, one malicious actor could DoS a Fleet instance with a single enrollment secret and lots of Docker images. 🤚
Example: We've done it while load testing our Fleet instances with 20K+ virtual "hosts".
Idea Ability for Fleet administrators to create multiple, named enrollment secrets.
Aside from the small chance of a malicious agent abuse, having multiple named secrets would enable easier tracking, management, and grouping of osquery enrollments. Naming or describing the specific "secret" would allow operators to monitor specific subsets of hosts within an organization without requiring canonical host setup for label queries. It would be easy to "auto-generate" a label or host group based upon which enrollment secret was used.
Summary