Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Provide credentials in imagePullSecret without global access #2161

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

maltemorgenstern
Copy link
Contributor

Description

When running a cluster that contains images from a private registry one needs to configure authentication. This is done by using kubernetes ImagePullSecrets. By default the trivy-operator is able to read the secrets attached to a target workload and use them to access the container registry.

While this is necessary when working with different registries inside the cluster, this comes with one security downside: the operator needs access to all secrets inside the cluster.

If all images are being pulled from a single private registry then one ImagePullSecret can be used for all of them. The easiest one to use is inside the operator namespace (because the operator has access to secrets in its own namespace).

This change does not impact any deployments running with default settings (global access enabled). But in case one disables that access this allows to instead read a single ImagePullSecret and use it for all images.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

When running a cluster that contains images from a private registry one
needs to configure authentication. This is done by using kubernetes
ImagePullSecrets. By default the trivy-operator is able to read the
secrets attached to a target workload and use them to access the
container registry.

While this is necessary when working with different registries inside
the cluster, this comes with one security downside: the operator needs
access to all secrets inside the cluster.

If all images are being pulled from a single private registry then
one ImagePullSecret can be used for all of them. The easiest one to
use is inside the operator namespace.

This change does not impact any deployments running with default
settings (global access enabled). But in case one disables that
access this allows to instead read a single ImagePullSecret and
use it for all images.
@maltemorgenstern maltemorgenstern marked this pull request as draft June 27, 2024 20:04
@maltemorgenstern
Copy link
Contributor Author

Hey, this MR is not finished (and tests will fail for sure), but I wanted to get your opinion on my approach first - afterwards, I will try to add and fix the necessary tests.

operator:
  accessGlobalSecretsAndServiceAccount: false
  privateRegistryScanSecretsNames: {"trivy-operator":"internal-pullsecret"}

With this change the above configuration would allow the trivy-operator to pull all images inside the cluster that use the same private registry - while not having to grant it access to every secret in the entire cluster.

WDYT?

@chen-keinan
Copy link
Contributor

@maltemorgenstern looks ok in general

The unit tests have been fixed and now cover three different scenarios:
- No credentials have been configured at all
- ImagePullSecret for workload exists but global access is disabled
- ImagePullSecret for workload exists and global access is enabled

Also a small typo in the CONTRIBUTING.md is being fixed.
In [1] the trivy-operator updates the temporary secrets to reflect the ownership by
each scan job. This requires the 'update' persmission for secrets - otherwise the
call with result in an error ("forbidden").

While the ClusterRole has this permission the Role does not. This needs to be added
to run the trivy-operator without global access - while still using imagePullSecrets
to configure authentication for private registries.

[1]: https://github.com/aquasecurity/trivy-operator/blob/d5d7e3d25c5e98f92c6a596af639b1f8df721869/pkg/vulnerabilityreport/controller/workload.go#L380-L389
@maltemorgenstern maltemorgenstern marked this pull request as ready for review July 21, 2024 18:12
@maltemorgenstern
Copy link
Contributor Author

Hey @chen-keinan, I finally found the time to finalize this PR - it's ready for review now.

FYI: I don't have much experience in Go - so any hints about styling or optimizations are welcome!

@maltemorgenstern
Copy link
Contributor Author

Hey @chen-keinan, just wanted to check in - what to you think about these changes?
Thanks!

Copy link

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 13, 2024
@maltemorgenstern
Copy link
Contributor Author

Hey, we would still like this to be merged. @chen-keinan do you mind giving it a review?

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 14, 2024
@simar7 simar7 requested review from afdesk and removed request for chen-keinan December 3, 2024 06:09
@simar7
Copy link
Member

simar7 commented Jan 16, 2025

@afdesk could you take a look when you have a chance?

labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: "0.21.3"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
app.kubernetes.io/version: "0.21.3"
app.kubernetes.io/version: "0.23.0"

metadata:
name: trivy-operator
name: trivy-operator-leader-election
namespace: trivy-system
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: "0.21.3"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
app.kubernetes.io/version: "0.21.3"
app.kubernetes.io/version: "0.23.0"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
3 participants