-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add secret_paths attributes to policies sent to agents #3908
Add secret_paths attributes to policies sent to agents #3908
Conversation
Add a new attribute "secret_paths" to the policy data sent to agents. This attribute is a list of keys where the fleet-server has repalced a reference with a secret value. The agent is expected to redact the values of these keys when outputting policy data.
This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
|
|
b411fea
to
d656c3f
Compare
d656c3f
to
ba13964
Compare
@@ -522,6 +522,11 @@ components: | |||
id: | |||
description: The policy's ID. | |||
type: string | |||
secret_paths: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is outside of the signed section of the policy, in theory it could be modified to cause agent to not redact secrets locally couldn't it?
To put it in the signed section of the policy, we'd have to determine which fields contain secrets in Kibana instead, because that is where the signing key resides.
Is there a reason why we can't put these in Kibana?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, thinking more deeply, I was thinking through a scenario where someone had intercepted the checkin response, and wanted to to force the agent to disclose secrets by removing the redaction hints.
However, if they have the checkin response after Fleet Server has touched it and added these keys, they already have the replaced secret values that Fleet Server inserted.
So I don't think there is a point in doing this because it doesn't protect us from anything.
In addition to my bigger picture question about being able to sign the secret_paths, SonarQube says there are some non-error paths in replaceSliceRefs that have no test coverage. |
internal/pkg/policy/secret.go
Outdated
case string: | ||
ref, replaced := replaceStringRef(value, secrets) | ||
if replaced { | ||
keys = append(keys, fmt.Sprintf("[%d]", i)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to delay merging this as I think go-ucfg uses .
when accessing array values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
elastic/elastic-agent#5621
go-ucfg does use .
when accessing arrays
Quality Gate passedIssues Measures |
Add a new attribute "secret_paths" to the policy data sent to agents. This attribute is a list of keys where the fleet-server has repalced a reference with a secret value. The agent is expected to redact the values of these keys when outputting policy data. (cherry picked from commit 4864cf4)
Add a new attribute "secret_paths" to the policy data sent to agents. This attribute is a list of keys where the fleet-server has repalced a reference with a secret value. The agent is expected to redact the values of these keys when outputting policy data. (cherry picked from commit 4864cf4) Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
What is the problem this PR solves?
Agent cannot determine where secrets have been injected into a policy.
How does this PR solve the problem?
Add a new attribute
secret_paths
to the policy data sent to agents. This attribute is a list of keys where the fleet-server has repalced a reference with a secret value. The agent is expected to redact the values of these keys when outputting policy data.Design Checklist
I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration files./changelog/fragments
using the changelog tool