Comments (6)
I support adding secrets as an opt-in target for bundles. There are just so many tools that only support obtaining CA certificates from secrets. And one could argue that even if a CA certificate bundle is not strictly secret, defining who you trust is definitely important for overall security.
As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names?
@james-callahan I don't think this is possible in general. As a user of trust-manager, I would expect to be allowed to express the secret name in the bundle resource. AFAIK the controller-runtime mechanics (and Kubernetes API) do not really support watching resources cluster-wide by name(s).
from trust-manager.
Hi @cortopy, there is no technical reason why adding Secret
as a target could not be done, however is poses security implications (trust would be able read + write all Secrets in all namespaces). If added, we would likely want this feature disabled by default, and users would have to explicitly toggle that they 1. want this target available, and 2. grant and understand they are giving trust the permissions to do this.
from trust-manager.
thanks @JoshVanL for such a quick answer. I hadn't thought of that but the path you propose sounds excellent
from trust-manager.
As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names?
from trust-manager.
I believe is issue was fixed by #193
/close
from trust-manager.
@erikgb: Closing this issue.
In response to this:
I believe is issue was fixed by #193
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from trust-manager.
Related Issues (20)
- Issue with CRDs when having trust-manager as chart dependency
- No flag to set structured logging format, e.g. JSON? HOT 2
- Using `trust-manager` for generating keystores HOT 5
- Evaluate trust namespace value as template
- Init Container cert-manager-package-debian Helm Chart should allow resource requests and limits HOT 1
- Bundle generating empty truststore.p12 when no password is provided HOT 2
- Allow all resources to be namespaced
- trust-manager deduplication doesnt work HOT 12
- Add support to s390x arch HOT 9
- Add support for kubectl installation HOT 3
- Add matchExpressions to Bundle's spec.target.namespaceSelector HOT 3
- Avoid multiple decode/encode of certificates HOT 6
- Provide deterministic bundle HOT 5
- Wrong labels in topologySpreadConstraints example in the Helm chart values
- Chart is not allowing to pass Certificate Issuer name through value.yaml
- Document a policy around immutable image tags HOT 1
- Support RSA Keys HOT 3
- Helm chart support dual stack clusters
- Allow to specify admission webhooks CA from Bundle HOT 3
- Empty Target field in kubectl get bundle HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trust-manager.