Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bind Vault admin tokens to Cluster CIDR block #40

Closed
justbert opened this issue May 6, 2020 · 1 comment
Closed

Bind Vault admin tokens to Cluster CIDR block #40

justbert opened this issue May 6, 2020 · 1 comment
Labels
area/security kind/feature New feature or request size/S ~1 day

Comments

@justbert
Copy link

justbert commented May 6, 2020

To reduce the chances that Vault tokens with Admin access can be intercepted and used maliciously, I propose that we bind these tokens to the clusters CIDR block through the use of token_bound_cidrs. This will require admins to port-forward through the cluster to access Vault for administrative tasks. Though it's an added inconvenience, I believe that this is an effective compromise in the name of security.

Currently when logging in with OIDC, admins will get a token with admin access automatically. I recommend that we make the Admin access to Vault an explicitly requested role so as to reduce the generation of tokens that have Admin access unnecessarily.

@justbert justbert added area/security kind/feature New feature or request size/S ~1 day labels May 6, 2020
@wg102 wg102 mentioned this issue Jul 12, 2022
14 tasks
@Souheil-Yazji
Copy link
Contributor

Stale, vault deprecated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/feature New feature or request size/S ~1 day
Projects
None yet
Development

No branches or pull requests

2 participants