Skip to content

Instantly share code, notes, and snippets.

@Syerram

Syerram/audit-k8s-config.md

Last active June 11, 2020 16:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Syerram/e00a2d70337b0ba7d6853c7606a2f735 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Syerram/e00a2d70337b0ba7d6853c7606a2f735 to your computer and use it in GitHub Desktop.
Download ZIP
Audit of final cf-for-k8s deployment
Raw
audit-k8s-config.md

Findings

  • cf-api-kpack-watcher deployment uses admin_client_secret non secret
  • cloud-controller-ng-yaml configmap consumes postgres password
  • cloud-controller-ng-yaml is just a huge yaml dump. can this be broken down into key-value config map
  • cloud-controller-ng-yaml bunch of other secrets that are unused but still in the configmap
  • cloud-controller-ng-yaml configmap consumes blobstore password
  • cloud-controller-ng-yaml configmap consumes uaa password as plain text cloud_controller_username_lookup_client_secret
  • eirini config-map consumes secret name app-registry-credentials as config yaml (instead of secret).
  • Will kapp rotate CRDs that reference secret names e.g. Gateway.istio-ingressgateway.credentialName
  • uaa-config config map consumes encryption.encryption_keys.passphrase
  • uaa-config config map consumes certs directly serviceProviderKey, serviceProviderKeyPassword, serviceProviderCertificate
  • uaa-config config map consumes LOGIN_SECRET: uaa-login-secret instead of mounted path
  • uaa-config config map consumes client secrets as plain text cf-k8s-networking, cloud_controller_username_lookup, capi_kpack_watcher
  • uaa-config config map consumes cf_admin_password from values.yml as plain text
  • cf-for-k8s is using the same uaa admin passwords for components. instead, it should use separate passwords for each client.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment