Storage does not validate client certificate

kubescape / storage

Apache License 2.0

1 stars 6 forks source link

Storage does not validate client certificate #117

Open slashben opened 4 months ago

slashben commented 4 months ago

The current implementation does not validate peer TLS certificates and any client can connect it and pull data. It should only be the Kubernetes API server that is allowed to do queries.

matthyx commented 1 month ago

@slashben do we want to fix that?

slashben commented 1 month ago

we must, but it should be fairly simple

slashben commented 1 month ago

it should be set up in ClientCA in the SecureServingInfo see more here https://pkg.go.dev/k8s.io/apiserver/pkg/server#SecureServingInfo

matthyx commented 1 month ago

it should be set up in ClientCA in the SecureServingInfo see more here https://pkg.go.dev/k8s.io/apiserver/pkg/server#SecureServingInfo

nice, do we want to add a config entry for that certificate? or should we read it from somewhere in the downward API?

slashben commented 1 month ago

Wait, we have two problems here.

One is we need to have the client certificate of the API server (it can be take with kubectl get configmap -n kube-public cluster-info -o jsonpath='{.data.kubeconfig}' | yq | jq .clusters[0].cluster."certificate-authority-data" , I guess we can read it during the helm installation)

The second is that we do not generate server certificate 😞

apiVersion: apiregistration.k8s.io/v1                                                                                                   
kind: APIService                                                                                                                        
metadata:
  spec:                                                                                                                                │
    insecureSkipTLSVerify: true

slashben commented 1 month ago

@matthyx see my PRs (they were tested locally)