Security exposure related to the token (#356)

* Security exposure related to the token The installation playbook saves the token into the systemd unit configuration file /etc/systemd/system/k3s.service. The problem is that according to K3s' documentation "the server token should be guarded carefully" (https://docs.k3s.io/cli/token), yet the configuration file is readable by anybody. A better solution is to save the token into its corresponding environment file /etc/systemd/system/k3s.service.env which is readable by the super user only. This is what the standard K3s' installation script (https://get.k3s.io) does. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> * Restore the server URL into systemd configuration file There aren't any security implications in keeping it there. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --------- Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
2025-12-25 00:12:37 +01:00 · 2024-09-04 14:02:52 -07:00
parent 3e0c982a95
commit 2d98982809
6 changed files with 27 additions and 4 deletions
--- a/roles/k3s_agent/tasks/main.yml
+++ b/roles/k3s_agent/tasks/main.yml
@@ -35,6 +35,14 @@
        INSTALL_K3S_EXEC: "agent"
      changed_when: true

+    - name: Add the token for joining the cluster to the environment
+      no_log: true # avoid logging the server token
+      ansible.builtin.lineinfile:
+        path: "{{ systemd_dir }}/k3s-agent.service.env"
+        line: "{{ item }}"
+      with_items:
+        - "K3S_TOKEN={{ token }}"
+
 - name: Copy K3s service file
  register: k3s_agent_service
  ansible.builtin.template: