undefined | Better HN

0 pointsotterley9y ago0 comments

First, I'm offended by your characterization of my argument as "bitching," as though our concerns are unjustified.

At any rate, you bring up two points: First, that etcd is insecure, which is a problem in itself that needs to be addressed. Communications between K8S and etcd and between applications and etcd need to be secured, and K8S itself needs role-based ACLs in the core.

Second, for the Vault use case, the best practice is not to place Vault tokens in etcd that grant direct access to any secrets. Instead, the best practice (as Kelsey's vault-controller project does) is to pass a "wrapper token," which is a single-use token. The application consumes the wrapper token (hopefully quickly) and exchanges it for a longer-lived token, which can then be used to access the secret data.

Once the wrapper token has been used, it is subsequently worthless to someone who has direct etcd access. And Vault's auditing capabilities can help you detect misuses of wrapper tokens.

0 comments

4 comments · 1 top-level

soamv9y ago· 3 in thread

The comment you're replying to doesn't say that etcd is insecure; just that access to etcd is equivalent in power to Kubernetes API access.

It's hard to have a productive discussion in such a confrontational tone, especially when you don't really have all the facts. If you have questions about how to secure Kubernetes communication with etcd, feel free to ask!

otterleyOP9y ago

What facts do you think I don't possess? Does etcd have an ACL capability yet? Does it possess auditing capability?

AFAIK etcd only supports TLS client authentication, which is arguably a fraction of what it needs in order to be considered a secure store in any meaningful sense. Consul is miles ahead in this regard.

By all means, correct me if I'm mistaken.

TheDong9y ago

What etcd does and doesn't support doesn't matter here.

Pods do not access etcd. Nothing that is not fully trusted has access. You don't need ACLs when the only users of etcd are 100% trusted (aka just kubernetes core components).

The kubernetes API provides secrets to pods and can do its own validation (and there's experimental support for that). It can provide its own auditing. That's where it actually matters, not etcd.

1 more reply

robszumski9y ago

etcd does contain ACLs: https://coreos.com/etcd/docs/latest/v2/auth_api.html

1 more reply

j / k navigate · click thread line to collapse