Update Security Model docs #106
Conversation
Codecov Report
@@ Coverage Diff @@
## master #106 +/- ##
========================================
- Coverage 61.1% 59.5% -1.6%
========================================
Files 8 8
Lines 370 370
========================================
- Hits 226 220 -6
- Misses 115 119 +4
- Partials 29 31 +2
Continue to review full report at Codecov.
|
| synced secrets have an IAMRole field defined, kube-secret-syncer will assume that role before retrieving the secret. This | ||
| implies that the role specified by IAMRole can be assumed by the role of the Kubernetes node kube-secret-syncer runs on. | ||
| Kube-secret-syncer relies on the AWS Go SDK to communicate with AWS - and supports the different ways of | ||
| authenticating to AWS described in the [AWS Go SDK documentation](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials). |
There was a problem hiding this comment.
I think we should explicitly point out that additional steps are required to prevent that the iam roles used kube-secret-syncer aren't assumable by other pods in the k8s cluster as this would otherwise break the security model.
E.g. You shouldn't use ec2 instance profile based authentication and you need to enable namespace restrictions if you use kube2iam https://github.com/jtblin/kube2iam#namespace-restrictions, which isn't enabled by default.
There was a problem hiding this comment.
I'd second this -- at a minimum it's probably worth calling out which auth methods would break the security model, and the necessary requirements to maintain the security model, like:
prevent that the iam roles used kube-secret-syncer aren't assumable by other pods in the k8s cluster
I can understand not giving explicit setup instructions (for kube2iam, kiam, IRSA, etc.) as the projects themselves will always have the most complete/up-to-date documentation. But might also be worth a link or two to some of those projects that can be configured to meet the requirements?
This should address #39
You should be able to configure kube-secret-syncer with environment variables/config files/... instead of using the IAM Role of the instance, and benefit from IAM restrictions if the IAM roles can be assumed by the "master" role kube-secret-syncer uses.