Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Security Model docs #106

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Security Model docs #106

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,9 +138,11 @@ Kube-secret-syncer maintains both the list of AWS Secrets as well as their value

## [Security model](#security-model)

By default, kube-secret-syncer will use the Kubernetes node's IAM role to list and retrieve the secrets. However, when
synced secrets have an IAMRole field defined, kube-secret-syncer will assume that role before retrieving the secret. This
implies that the role specified by IAMRole can be assumed by the role of the Kubernetes node kube-secret-syncer runs on.
Kube-secret-syncer relies on the AWS Go SDK to communicate with AWS - and supports the different ways of
authenticating to AWS described in the [AWS Go SDK documentation](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials).
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should explicitly point out that additional steps are required to prevent that the iam roles used kube-secret-syncer aren't assumable by other pods in the k8s cluster as this would otherwise break the security model.

E.g. You shouldn't use ec2 instance profile based authentication and you need to enable namespace restrictions if you use kube2iam https://github.com/jtblin/kube2iam#namespace-restrictions, which isn't enabled by default.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd second this -- at a minimum it's probably worth calling out which auth methods would break the security model, and the necessary requirements to maintain the security model, like:

prevent that the iam roles used kube-secret-syncer aren't assumable by other pods in the k8s cluster

I can understand not giving explicit setup instructions (for kube2iam, kiam, IRSA, etc.) as the projects themselves will always have the most complete/up-to-date documentation. But might also be worth a link or two to some of those projects that can be configured to meet the requirements?


When synced secrets have an IAMRole field defined, kube-secret-syncer will assume that role before retrieving the
secret. This implies that the role specified by IAMRole can be assumed by the default role kube-secret-syncer uses.

To ensure a specific namespace only has access to the secrets it needs to, kube-secret-syncer will use the
"iam.amazonaws.com/allowed-roles" annotation on the namespace (originally used by kube2iam) to validate that this
Expand Down