search

vapor-ware / kubetest

Kubernetes integration testing in Python via pytest
https://kubetest.readthedocs.io/en/latest/
GNU General Public License v3.0
206 stars 57 forks source link

Security issue #199

Open ric79 opened 3 years ago

ric79 commented 3 years ago

Hello, I have a security issue. For starting the automation I need to pass the --kube-config file where there are in plain test the infrastructure credentials. For this reason, I cannot use the tool in production. Is it possible to solve the problem.

Un solution is to use an ansible-like approach. For example, the kube-config could be passed also encrypted. Your internal parser then could look for an environment key (KUBETEST_DECRYPT_KEY) for decrypting it. This is a standard solution where the inventories are encrypted and for running you need a key.

Riccardo

edaniszewski commented 3 years ago

Thanks for opening up the issue -- sorry I didn't get to it sooner. This definitely seems like something that can be implemented. The approach you suggested seems like it would be pretty feasible to implement.

I'm spread a bit thin right now, so I can't get to this right away, but I'll definitely put it on my roadmap for the near future.

danquack commented 3 years ago

@ric79 can you provide an example of what the contents of an encrypted config would look like?

One work around my team did in this is loading the config, then setting the encrypted portions within python itself (pulling from a remote source). Not sure if this is similar to what you are trying to do, but here's a simplified version of the overrides. In this example, the secret portion is the account id and a variable, but I imagine you can extrapolate this to whatever your use case is. 

def create_sa(kube, secret_role_name):
    """
    A helper function to create service account
    """
    sa = kube.load_serviceaccount("configs/sa.yaml")
    account_id = client('sts').get_caller_identity()["Account"]
    role_arn = f"arn:aws:iam::{account_id}:role/{secret_role_name}"
    sa.obj.metadata.annotations['eks.amazonaws.com/role-arn'] = role_arn
    return sa

def test_create_sa(kube, secret_role_name):
    """
    A function to test the creation of a service account
    Goal: This will test the ability to interface with the k8s cli
    """
    kube.namespace = "dev"
    patch_namespace(kube.namespace)

    sa = create_sa(kube, secret_role_name)
    kube.create(sa)
    assert sa.is_ready()