Unix4ever
commented
1 month ago You can still get that from Talos logs :thinking: So I wonder if we should do it there.
Open rothgar opened 1 month ago
Unix4ever
commented
1 month ago You can still get that from Talos logs :thinking: So I wonder if we should do it there.
rothgar
commented
3 weeks ago If we move this into a Talos feature then I'm assuming we could show sensitive information with an API option and Omni could use that on node log pages (hiding sensitive information by default).
Problem Description
If I open the Omni home page my join token is obscured/hidden so that it is not accidentally exposed. The same security concern (unauthenticated people joining machines to my omni instance) also happens if I expose my factory schema.
Factory schema is printed as output on machine logs during installation and someone can use that schema to download my installation media and extract my join token.
Solution
Machine logs should filter/hide factory schema. This is probably needed from the Omni UI as well as
omnictl machine-logsAlternative Solutions
We could add authentication to factory endpoints that use an omni join token. I don't think that's feasible because of all the different ways the factory can be used (eg PXE)
Notes
No response