Git Product home page Git Product logo

Comments (6)

erikgb avatar erikgb commented on May 24, 2024 4

I support adding secrets as an opt-in target for bundles. There are just so many tools that only support obtaining CA certificates from secrets. And one could argue that even if a CA certificate bundle is not strictly secret, defining who you trust is definitely important for overall security.

As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names?

@james-callahan I don't think this is possible in general. As a user of trust-manager, I would expect to be allowed to express the secret name in the bundle resource. AFAIK the controller-runtime mechanics (and Kubernetes API) do not really support watching resources cluster-wide by name(s).

from trust-manager.

JoshVanL avatar JoshVanL commented on May 24, 2024 3

Hi @cortopy, there is no technical reason why adding Secret as a target could not be done, however is poses security implications (trust would be able read + write all Secrets in all namespaces). If added, we would likely want this feature disabled by default, and users would have to explicitly toggle that they 1. want this target available, and 2. grant and understand they are giving trust the permissions to do this.

from trust-manager.

cortopy avatar cortopy commented on May 24, 2024

thanks @JoshVanL for such a quick answer. I hadn't thought of that but the path you propose sounds excellent

from trust-manager.

james-callahan avatar james-callahan commented on May 24, 2024

As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names?

from trust-manager.

erikgb avatar erikgb commented on May 24, 2024

I believe is issue was fixed by #193

/close

from trust-manager.

jetstack-bot avatar jetstack-bot commented on May 24, 2024

@erikgb: Closing this issue.

In response to this:

I believe is issue was fixed by #193

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

from trust-manager.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.