Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Disallow fetching secrets from namespaces different from the host's one #1929

Merged
merged 1 commit into from
Sep 3, 2024
Merged

🐛 Disallow fetching secrets from namespaces different from the host's one #1929

merged 1 commit into from
Sep 3, 2024

Conversation

tuminoid
Copy link
Member

@tuminoid tuminoid commented Sep 3, 2024

The BareMetalHost CRD allows the UserData, MetaData, and NetworkData for the provisioned host to be specified as links to k8s Secrets. There are fields for both the Name and Namespace of the Secret, meaning that the baremetal-operator will read a Secret from any namespace. If a Secret contains the key "value" (or "userData", "metaData", or "networkData"), its corresponding value can be exfiltrated by a user provisioning a Host pointing to that Secret, then retrieving that data from the provisioned host.

Authored-by: Zane Bitter [email protected]

@tuminoid
Disallow fetching secrets from namespaces different from the host's one
64eb7cf 
The BareMetalHost CRD allows the UserData, MetaData, and NetworkData for
the provisioned host to be specified as links to k8s Secrets. There are
fields for both the Name and Namespace of the Secret, meaning that the
baremetal-operator will read a Secret from any namespace. If a Secret
contains the key "value" (or "userData", "metaData", or "networkData"),
its corresponding value can be exfiltrated by a user provisioning a Host
pointing to that Secret, then retrieving that data from the provisioned
host.

Authored-by: Zane Bitter <[email protected]>
Co-Authored-By: Dmitry Tantsur <[email protected]>

Signed-off-by: Tuomo Tanskanen <[email protected]>
@metal3-io-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zaneb for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@metal3-io-bot metal3-io-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Sep 3, 2024
@tuminoid tuminoid merged commit c2b5a55 into metal3-io:release-0.8 Sep 3, 2024
14 of 15 checks passed
@tuminoid tuminoid deleted the tuomo/ghsa-pqfh-xh7w-7h3p branch September 3, 2024 05:54
@GoVulnBot GoVulnBot mentioned this pull request Sep 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elfosardo elfosardo Awaiting requested review from elfosardo

@s3rj1k s3rj1k Awaiting requested review from s3rj1k

Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tuminoid @metal3-io-bot