From 2d98982809f878b9e02567236e42b2a350542082 Mon Sep 17 00:00:00 2001 From: anon-software <8951449+anon-software@users.noreply.github.com> Date: Wed, 4 Sep 2024 14:02:52 -0700 Subject: [PATCH] Security exposure related to the token (#356) * Security exposure related to the token The installation playbook saves the token into the systemd unit configuration file /etc/systemd/system/k3s.service. The problem is that according to K3s' documentation "the server token should be guarded carefully" (https://docs.k3s.io/cli/token), yet the configuration file is readable by anybody. A better solution is to save the token into its corresponding environment file /etc/systemd/system/k3s.service.env which is readable by the super user only. This is what the standard K3s' installation script (https://get.k3s.io) does. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> * Restore the server URL into systemd configuration file There aren't any security implications in keeping it there. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --------- Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- roles/k3s_agent/tasks/main.yml | 8 ++++++++ roles/k3s_agent/templates/k3s-agent.service.j2 | 2 +- roles/k3s_server/tasks/main.yml | 15 +++++++++++++++ .../templates/k3s-cluster-init.service.j2 | 2 +- roles/k3s_server/templates/k3s-ha.service.j2 | 2 +- roles/k3s_server/templates/k3s-single.service.j2 | 2 +- 6 files changed, 27 insertions(+), 4 deletions(-) diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml index 9ff7a28..8db49c0 100644 --- a/roles/k3s_agent/tasks/main.yml +++ b/roles/k3s_agent/tasks/main.yml @@ -35,6 +35,14 @@ INSTALL_K3S_EXEC: "agent" changed_when: true + - name: Add the token for joining the cluster to the environment + no_log: true # avoid logging the server token + ansible.builtin.lineinfile: + path: "{{ systemd_dir }}/k3s-agent.service.env" + line: "{{ item }}" + with_items: + - "K3S_TOKEN={{ token }}" + - name: Copy K3s service file register: k3s_agent_service ansible.builtin.template: diff --git a/roles/k3s_agent/templates/k3s-agent.service.j2 b/roles/k3s_agent/templates/k3s-agent.service.j2 index adb39cf..4d0bad5 100644 --- a/roles/k3s_agent/templates/k3s-agent.service.j2 +++ b/roles/k3s_agent/templates/k3s-agent.service.j2 @@ -26,4 +26,4 @@ RestartSec=5s ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service' ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_agent_args }} +ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }} diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index bad7f68..466d56e 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -86,6 +86,13 @@ line: "{{ item }}" with_items: "{{ extra_service_envs }}" + # Add the token to the environment. + - name: Add token as an environment variable + no_log: true # avoid logging the server token + ansible.builtin.lineinfile: + path: "{{ systemd_dir }}/k3s.service.env" + line: "K3S_TOKEN={{ token }}" + - name: Restart K3s service when: - ansible_facts.services['k3s.service'] is defined @@ -174,6 +181,14 @@ - (groups[server_group] | length) > 1 - inventory_hostname != groups[server_group][0] block: + - name: Add the token for joining the cluster to the environment + no_log: true # avoid logging the server token + ansible.builtin.lineinfile: + path: "{{ systemd_dir }}/k3s.service.env" + line: "{{ item }}" + with_items: + - "K3S_TOKEN={{ token }}" + - name: Copy K3s service file [HA] when: not use_external_database ansible.builtin.template: diff --git a/roles/k3s_server/templates/k3s-cluster-init.service.j2 b/roles/k3s_server/templates/k3s-cluster-init.service.j2 index 0b79305..ff43061 100644 --- a/roles/k3s_server/templates/k3s-cluster-init.service.j2 +++ b/roles/k3s_server/templates/k3s-cluster-init.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} \ No newline at end of file +ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} diff --git a/roles/k3s_server/templates/k3s-ha.service.j2 b/roles/k3s_server/templates/k3s-ha.service.j2 index bf61e62..131f590 100644 --- a/roles/k3s_server/templates/k3s-ha.service.j2 +++ b/roles/k3s_server/templates/k3s-ha.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_server_args }} \ No newline at end of file +ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }} diff --git a/roles/k3s_server/templates/k3s-single.service.j2 b/roles/k3s_server/templates/k3s-single.service.j2 index 8690939..60b284b 100644 --- a/roles/k3s_server/templates/k3s-single.service.j2 +++ b/roles/k3s_server/templates/k3s-single.service.j2 @@ -25,4 +25,4 @@ Restart=always RestartSec=5s ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} \ No newline at end of file +ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }}