Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets rotation and Secrets semantics #4673

Closed
erictune opened this issue Feb 20, 2015 · 11 comments
Closed

Secrets rotation and Secrets semantics #4673

erictune opened this issue Feb 20, 2015 · 11 comments
Labels
area/security sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.

Comments

@erictune
Copy link
Member

It would be nice to be able to rotate secrets while the pod is still running. This issue is to discuss how that might work.

Some things to think about:

  • Can we attach a new volume to a running container? I don't think so.
  • Is the content of a secret mutable after creation?
  • What happens if you delete a secret that is in use by running pods? I guess they keep running, but then new instances can't be created from the same template?
  • What happens if you modify the data in a pod (if that is allowed) or if you delete a secret and then create a new one with the same name? Does kubelet notice that and update the volume of a running pod?
  • Given that the tmpfs is readonly bind mounted, if the kubelet could modify the data, how consistently would the pod see the changes?
  • If the kubelet does modify volume contents, should it do so in a way that is atomic (that is, make a second file tree, and then flip a hard link over once the change is complete? Does that require a minimum number of path components to separate the bind mount root from the flippable hard link?
  • If the above, then we should document that clients need to not keep secrets files open indefinitely.
  • If containers keep files open after files on the tmpfs are deleted, the memory charges should migrate to the container (@vmarmol or @dchen1107 or @thockin might know better)
  • Is the behavior different for different secrets types?
@erictune
Copy link
Member Author

Relevant to #4672

@erictune
Copy link
Member Author

@pmorie

@erictune
Copy link
Member Author

@bgrant0607

@vmarmol vmarmol added area/security sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. labels Feb 20, 2015
@thockin
Copy link
Member

thockin commented Feb 21, 2015

I'm really hoping to avoid having the kubelet be dynamically updating magic
volumes (run your own side-car), but I am not sure we can escape it with
secrets since there is info there that is meaningful to the kubelet itself..

On Fri, Feb 20, 2015 at 9:43 AM, Eric Tune notifications@github.com wrote:

@bgrant0607 https://github.com/bgrant0607

Reply to this email directly or view it on GitHub
#4673 (comment)
.

@bgrant0607
Copy link
Member

I think we should support dynamic updates. That makes the feature vastly more useful and reduces the complexity for clients tremendously. Immutable secret objects would induce cascading complexity: automatic name generation, automatic garbage collection of secrets not in use, etc. Plus, I doubt we could prevent users from updating the volume source to point to a new secret, which seems to have about the same complexity. In general, making things not updatable greatly complicates our user-facing configuration solution. We could potentially restart/recreate containers upon these kinds of updates for now, if that would simplify the implementation.

Additionally, we're going to want the same behavior for a dynamic config solution for our own components.

@bgrant0607
Copy link
Member

Also, I vote for atomic update. A lifecycle event can notify the containers that they should reopen the file(s).

@thockin
Copy link
Member

thockin commented Feb 21, 2015

Dynamic updates can be achieved by running a secret-syncer sidecar. I'm
just trying to convince myself that this is not a viable answer.

As for atomic updates, easier said than done. The only atomic op is
rename() and that is singular AND only works for directories iff the
destination does not already exist.

We could do something like put secrets into a subdir of the volume and then
flip a symlink with rename.

e.g.

mkdir /path/to/volume/.update_in_progress
write secrets to /path/to/volume/.update_in_progress
mv /path/to/volume/.update_in_progress /path/to/volume/new_timestamp
ln -s new_timestamp /path/to/volume/.updated_link
rename /path/to/volume/.updated_link /path/to/volume/current

It's ugly and we still have to deal with cleanup, but it's the only way I
know.

On Fri, Feb 20, 2015 at 10:48 PM, Brian Grant notifications@github.com
wrote:

Also, I vote for atomic update. A lifecycle event can notify the
containers that they should reopen the file(s).

Reply to this email directly or view it on GitHub
#4673 (comment)
.

@pmorie
Copy link
Member

pmorie commented Feb 22, 2015

@erictune @thockin @bgrant0607 I am torn on this one personally. One thing I want to point out while I gather my thoughts is that I think we have a similar problem in this use-case to other ones that have been mentioned:

@pmorie pmorie mentioned this issue Feb 22, 2015
Closed
@erictune
Copy link
Member Author

erictune commented Mar 2, 2015

I now think we probably don't need to prioritize automated rotation at this time.

Most pods are going to have a way that they can be updated to have a new image or new flags. Updating the secret can use that same workflow, assuming secret changes are infrequent.

There are two cases where secrets might change frequently, but I don't think these are that important right now:

First, short lived tokens. We've talked about having a way to hold something like an OAuth Refresh Token in the apiserver, and then have it generate access tokens periodically, and "rotate" them for clients. While this has the nice property of protecting the long lived secret, clients are probably not going to expect to have the access token changing underneath them, and it has the drawback of giving the client the access token even when it doesn't need it (if it has time-varying behavior).

Second would be a server that stores multiple changing secrets, like username/password combinations for a website. This case doesn't match the current secrets implementation: secret modifications made by the pod won't be remembered.

@erictune
Copy link
Member Author

erictune commented Mar 2, 2015

TL;DR
I don't think we should work on secret rotation right now.
And we should make secrets immutable. I'll file a narrower issue for that.

@erictune erictune closed this as completed Mar 2, 2015
@erictune erictune mentioned this issue Mar 3, 2015
Closed
@thockin
Copy link
Member

thockin commented Mar 4, 2015

I'm fine closing this for now - it's a much larger design issue and not priortiy

@erictune erictune mentioned this issue Jan 31, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pmorie @vmarmol @thockin @bgrant0607 @erictune