Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secured configmaps #2222

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Secured configmaps #2222

wants to merge 2 commits into from

Conversation

LuciaSirova
Copy link
Collaborator

@LuciaSirova LuciaSirova commented Feb 21, 2025
edited
Loading

Description

By default in kubernetes system, encrypting of data inside object like configmaps is not enabled, so data in etcd are available for potential attacker.
Encrypting of configmaps is possible in newer versions of kubernetes. When this configuration is done, all newly created configmaps has encrypted data in etcd key-value store.
This testcase creates new sonfigmap with random suffix (to avoid confilct). Then we will use similar command in etcd pod to verify if encryption is working:
ETCDCTL_API=3 etcdctl \ --cacert=/etc/kubernetes/pki/etcd/ca.crt \ --cert=/etc/kubernetes/pki/etcd/server.crt \ --key=/etc/kubernetes/pki/etcd/server.key \ get /registry/configmaps/default/my-configmap | hexdump -C

Issues:

Refs: #1994

How has this been tested:

  • Covered by existing integration testing
  • Added integration testing to cover
  • Verified all A/C passes
    • develop
    • master
    • tag/other branch
  • Test environment
    • Shared Packet K8s cluster
    • New Packet K8s cluster
    • Kind cluster
  • Have not tested

Types of changes:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Checklist:

Documentation

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • No updates required.

Code Review

  • Does the test handle fatal exceptions, ie. rescue block

Issue

  • Tasks in issue are checked off

haskojur and others added 2 commits February 18, 2025 11:18
@haskojur @LuciaSirova
(WIP) Test: Verify if configmaps are encrypted
a3871cb
@LuciaSirova
Wip: Verify configmaps encryption
0db58d2 
- Added "verify_configmaps_encryption" to the security task list
- Implemented a test to verify if ConfigMaps are not encrypted

Signed-off-by: Lucia Sirova <[email protected]>
@LuciaSirova LuciaSirova marked this pull request as draft February 21, 2025 09:14
@martin-mat martin-mat mentioned this pull request Feb 25, 2025
Closed
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denverwilliams denverwilliams Awaiting requested review from denverwilliams denverwilliams is a code owner

@agentpoyo agentpoyo Awaiting requested review from agentpoyo agentpoyo is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
CNF Test Suite
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LuciaSirova @haskojur