Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

better handling of masterEncryptionKey change #512

Open
joel-bluedata opened this issue Sep 24, 2021 · 2 comments
Open

better handling of masterEncryptionKey change #512

joel-bluedata opened this issue Sep 24, 2021 · 2 comments
Labels
Priority: High Project: Cluster Reconcile beyond simple xlate of model to K8s spec Type: Enhancement
Milestone
1.0.0

Comments

@joel-bluedata
Copy link
Member

joel-bluedata commented Sep 24, 2021
edited
Loading

Currently if the masterEncryptionKey in kd-global-config is changed (or kd-global-config is deleted), the following things are true:

  • Any newly specified secret key value will be properly encrypted.
  • Any existing value will still be readable within the container as long as nothing triggers a configmeta update.
  • Any existing value will get scrambled within the container when configmeta update happens. (Unless a change in master key length actually now causes any configmeta update to error out, which is even worse.)

The first of those is fine and good. The second is probably good/expected too. The third is not. And the third isn't easy to catch/fix in the validator because we no longer have either the original value or the original master key accessible to KD (at least, not easily).

Another consideration here: why would someone WANT to change the master key? The only reason that immediately presents itself is that someone-who-shouldn't got a look at the master key and therefore they would be able to decrypt the encryptedKey values in the existing kdcluster specs. Well, even if you change the master key, those encryptedKey values will not automatically be changed, so they would still be vulnerable to anyone who stole the old master key.

Let's discuss the desired behavior, and if there's any low-hanging-fruit improvement we need to make before the 0.7.0 release.

My thought about immediate changes:

Failure to decrypt an encryptedValue should just remove the associated value from the configmeta, rather than failing the configmeta generation.

Possibly we should block changes to masterEncryptionKey -- including kdconfig deletion -- while kdclusters exist. (This would be quick to do, just check if shared.clustersUsingApp has any content.) This is super annoying since the only valid reason to change masterEncryptionKey occurs when some kdclusters exist ... however as mentioned above, we don't yet properly handle that situation anyway.
joel-bluedata added a commit to joel-bluedata/kubedirector that referenced this issue Sep 24, 2021
@joel-bluedata
secretKeys documentation and fixes
ce60330 
The main point of this PR is to add a doc about "secret keys" that can be referenced from the CRD wiki pages.

I've also bundled a fix for an upgrade case: make sure that the master key default is generated if there was a pre-existing kdconfig when KD was upgraded.

I think it's quite likely that we'll want to include some immediate fixes for issue bluek8s#512 in here as well, along with the necessary doc updates to reflect that.
@joel-bluedata joel-bluedata mentioned this issue Sep 24, 2021
Merged
joel-bluedata added a commit to joel-bluedata/kubedirector that referenced this issue Sep 24, 2021
@joel-bluedata
prevent changing master encryption key while kdclusters exist
d12c4c9 
(including indirectly by kdconfig deletion)

Some big-hammer preventive measures for things described in issue bluek8s#512.
@joel-bluedata
Copy link
Member Author

Examples of those "immediate changes" added to PR #513.

@joel-bluedata
Copy link
Member Author

Merged a few immediate changes/fixes:

  • No changing the master key while kdclusters exist.
  • No deleting kdconfig while kdclusters exist (because basically this changes the master key).
  • If a secret-key value fails to decrypt, just omit it from configmeta rather than failing all configmeta generation.

Now we need to decide how we can support changing the master key.

@joel-bluedata joel-bluedata added this to the 1.0.0 milestone Mar 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: High Project: Cluster Reconcile beyond simple xlate of model to K8s spec Type: Enhancement
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
1 participant
@joel-bluedata