feat: Provide credentials in imagePullSecret without global access #2161
+160
−50
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When running a cluster that contains images from a private registry one needs to configure authentication. This is done by using kubernetes ImagePullSecrets. By default the trivy-operator is able to read the secrets attached to a target workload and use them to access the container registry. While this is necessary when working with different registries inside the cluster, this comes with one security downside: the operator needs access to all secrets inside the cluster. If all images are being pulled from a single private registry then one ImagePullSecret can be used for all of them. The easiest one to use is inside the operator namespace. This change does not impact any deployments running with default settings (global access enabled). But in case one disables that access this allows to instead read a single ImagePullSecret and use it for all images.
|
Hey, this MR is not finished (and tests will fail for sure), but I wanted to get your opinion on my approach first - afterwards, I will try to add and fix the necessary tests. operator:
accessGlobalSecretsAndServiceAccount: false
privateRegistryScanSecretsNames: {"trivy-operator":"internal-pullsecret"}With this change the above configuration would allow the trivy-operator to pull all images inside the cluster that use the same private registry - while not having to grant it access to every secret in the entire cluster. WDYT? |
|
@maltemorgenstern looks ok in general |
The unit tests have been fixed and now cover three different scenarios: - No credentials have been configured at all - ImagePullSecret for workload exists but global access is disabled - ImagePullSecret for workload exists and global access is enabled Also a small typo in the CONTRIBUTING.md is being fixed.
In [1] the trivy-operator updates the temporary secrets to reflect the ownership by
each scan job. This requires the 'update' persmission for secrets - otherwise the
call with result in an error ("forbidden").
While the ClusterRole has this permission the Role does not. This needs to be added
to run the trivy-operator without global access - while still using imagePullSecrets
to configure authentication for private registries.
[1]: https://github.com/aquasecurity/trivy-operator/blob/d5d7e3d25c5e98f92c6a596af639b1f8df721869/pkg/vulnerabilityreport/controller/workload.go#L380-L389
|
Hey @chen-keinan, I finally found the time to finalize this PR - it's ready for review now. FYI: I don't have much experience in Go - so any hints about styling or optimizations are welcome! |
|
Hey @chen-keinan, just wanted to check in - what to you think about these changes? |
|
This PR is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
Hey, we would still like this to be merged. @chen-keinan do you mind giving it a review? |
github-actions
bot
removed
the
lifecycle/stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When running a cluster that contains images from a private registry one needs to configure authentication. This is done by using kubernetes ImagePullSecrets. By default the trivy-operator is able to read the secrets attached to a target workload and use them to access the container registry.
While this is necessary when working with different registries inside the cluster, this comes with one security downside: the operator needs access to all secrets inside the cluster.
If all images are being pulled from a single private registry then one ImagePullSecret can be used for all of them. The easiest one to use is inside the operator namespace (because the operator has access to secrets in its own namespace).
This change does not impact any deployments running with default settings (global access enabled). But in case one disables that access this allows to instead read a single ImagePullSecret and use it for all images.
Related issues
Checklist