Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure trivy-operator to use single ImagePullSecret from operator namespace without enabling global secret access #2158

Open
maltemorgenstern opened this issue Jun 25, 2024 Discussed in #2053 · 4 comments · May be fixed by #2161
Assignees
Milestone

Comments

@maltemorgenstern
Copy link
Contributor

Discussed in #2053

Originally posted by maltemorgenstern May 4, 2024
Hey there, I have a question about private registries.

We are running a private registry for all of our docker images (there are gatekeeper policies in place to enforce that only internal images can be deployed into the cluster). Therefore every deployment/namespace contains an ImagePullSecret with credentials to our registry.

Using the default trivy-operator configuration this works like a charm - and reports for all resources are being created (because the operator is using the ImagePullSecret from each workload to pull the image, see the docs).

The problem is that the default configuration comes with highly privileged permissions. Because operator.accessGlobalSecretsAndServiceAccount defaults to true, the deployed ClusterRole grants the operator access to all secrets in all namespaces - which is being criticised by our security team.

- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - update

Based on this discussion instead of using the ImagePullSecret in each namespace one can configure the operator to use a different secret from other namespaces. In our case we would just reference the secret from the operator namespace which contains credentials that are valid for all images in the cluster:

operator:
  # Do not allow access to everything (to increase security)
  accessGlobalSecretsAndServiceAccount: false

  # Instead configure operator to read ImagePullSecret from its own namespace
  privateRegistryScanSecretsNames: {"trivy-operator":"internal-pullsecret"}

But this does not work - and all scan jobs fail with unauthorized errors.

Looking at the code the reason seems to be that privateRegistryScanSecretsNames requires accessGlobalSecretsAndServiceAccount to be enabled?

if r.AccessGlobalSecretsAndServiceAccount && len(reusedReports) == 0 {
privateRegistrySecrets, err := r.Config.GetPrivateRegistryScanSecretsNames()
if err != nil {
return err
}
pConfig, err := r.PluginContext.GetConfig()
if err != nil {
return err
}
multiSecretSupport := trivy.MultiSecretSupport(trivy.Config{PluginConfig: pConfig})
credentials, err = r.CredentialsByServer(ctx, owner, privateRegistrySecrets, multiSecretSupport)
if err != nil {
return err
}
}

And - in general - I can understand this requirement - because if you reference a workload namespace as the secret source that cluster-wide access is required to read the data.

But if the namespace is the operator namespace this is not needed - because the default role already contains the required permissions to read kubernetes secrets:

- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- delete

Question

  • Is there currently a way to provide access to private registries without granting the operator access to all secrets in the cluster?
  • If not: what do you think about the idea to add another option for providing the credentials - which would be referencing a local ImagePullSecret and therefor not needing global access?

Kind Regard Malte

Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Aug 25, 2024
@maltemorgenstern
Copy link
Contributor Author

There is an open pull request for this feature waiting for review: #2161

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Aug 26, 2024
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 25, 2024
@maltemorgenstern
Copy link
Contributor Author

The pull request is still open and awaiting a review.

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 26, 2024
@simar7 simar7 added this to the v0.24.0 milestone Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants