GO-2024-3080: Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister

secrets

package

v0.113.0-alpha.1 Latest Latest Go to latest Published: Nov 7, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kanisterio/kanister

Documentation ¶

Index ¶

Constants
func ExtractAWSCredentials(ctx context.Context, secret *corev1.Secret, assumeRoleDuration time.Duration) (*credentials.Value, error)
func ExtractAzureCredentials(secret *corev1.Secret) (*objectstore.SecretAzure, error)
func ValidateAWSCredentials(secret *corev1.Secret) error
func ValidateAzureCredentials(secret *corev1.Secret) error
func ValidateCredentials(secret *corev1.Secret) error
func ValidateGCPCredentials(secret *corev1.Secret) error
func ValidateRepositoryServerSecret(repositoryServerSecret *corev1.Secret) error

Constants ¶

View Source

const (
	// AWSSecretType represents the secret type for AWS credentials.
	AWSSecretType string = "secrets.kanister.io/aws"

	// AWSAccessKeyID is the key for AWS access key ID.
	AWSAccessKeyID string = "aws_access_key_id"
	// AWSSecretAccessKey is the key for AWS secret access key.
	AWSSecretAccessKey string = "aws_secret_access_key"
	// AWSSessionToken is the key for AWS Session token
	AWSSessionToken string = "aws_session_token"
	// ConfigRole represents the key for the ARN of the role which can be assumed.
	// It is optional.
	ConfigRole = "role"
)

View Source

const (
	// AzureSecretType represents the secret type for Azure credentials.
	AzureSecretType string = "secrets.kanister.io/azure"

	// AzureStorageAccountID is the config map key for Azure storage account id data
	AzureStorageAccountID string = "azure_storage_account_id"
	// AzureStorageAccountKey is the config map key for Azures storage account key data
	AzureStorageAccountKey string = "azure_storage_key"
	// AzureStorageEnvironment is the environment for Azures storage account
	AzureStorageEnvironment string = "azure_storage_environment"
)

View Source

const (
	// GCPProjectID is the config map key for gcp project id data
	GCPProjectID string = "gcp_project_id"
	// GCPServiceKey is the config map key for gcp service key data
	GCPServiceKey string = "gcp_service_key"
	// GCPServerAccountJsonKey is the key for gcp service account json
	GCPServiceAccountJSONKey string = "service-account.json"

	// GCPSecretType represents the secret type for GCP credentials.
	GCPSecretType string = "secrets.kanister.io/gcp"
)

View Source

const FilestoreSecretType string = "secrets.kanister.io/filestore"

FilestoreSecretType represents the secret type for Filestore credentials.

Variables ¶

This section is empty.

Functions ¶

func ExtractAWSCredentials ¶

func ExtractAWSCredentials(ctx context.Context, secret *corev1.Secret, assumeRoleDuration time.Duration) (*credentials.Value, error)

ExtractAWSCredentials extracts AWS credential values from the given secret.

Extracted values from the secrets are: - access_key_id (required) - secret_access_key (required) - role (optional)

If the type of the secret is not "secret.kanister.io/aws", it returns an error. If the required types are not available in the secrets, it returns an error.

ExtractAWSCredentials accepts an assumeRoleDuration which is used to set the duration of the AWS session token. When this setting is not provided, the default duration of a token is 1h. The minimum value allowed is 15 minutes (15m). The maximum value depends on the max duration setting of the IAM role - The setting can be viewed using instructions here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session. The IAM role's max duration setting can be modified between 1h to 12h.

func ExtractAzureCredentials ¶

func ExtractAzureCredentials(secret *corev1.Secret) (*objectstore.SecretAzure, error)

ExtractAzureCredentials extracts Azure credential values from the given secret.

Extracted values from the secrets are: - azure_storage_account_id (required) - azure_storage_key (required) - azure_storage_environment (optional)

If the type of the secret is not "secrets.kanister.io/azure", it returns an error. If the required types are not available in the secrets, it returns an error.

func ValidateAWSCredentials ¶

func ValidateAWSCredentials(secret *corev1.Secret) error

ValidateAWSCredentials validates secret has all necessary information for AWS credentials. It also checks the secret doesn't have unnecessary information.

Required fields: - access_key_id - secret_access_key

Optional field: - session_token

func ValidateAzureCredentials ¶

func ValidateAzureCredentials(secret *corev1.Secret) error

ValidateAzureCredentials validates secret has all necessary information for Azure credentials. It also checks the secret doesn't have unnecessary information.

Required fields: - azure_storage_account_id - azure_storage_key

Optional field: - azure_storage_environment

func ValidateCredentials ¶

func ValidateCredentials(secret *corev1.Secret) error

ValidateCredentials returns error if secret is failed at validation. Currently supports following: - AWS typed secret with required AWS secret fields.

func ValidateGCPCredentials ¶

func ValidateGCPCredentials(secret *corev1.Secret) error

ValidateGCPCredentials function is to verify the schema of GCP secrets that need to be provided for kopia commands

func ValidateRepositoryServerSecret ¶

func ValidateRepositoryServerSecret(repositoryServerSecret *corev1.Secret) error

Types ¶

This section is empty.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
errors
repositoryserver Package repositoryserver validates the secret credentials for all location profiles.	Package repositoryserver validates the secret credentials for all location profiles.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL