mirrors/k3s-ansible
1
0
Fork 1
mirror of https://github.com/k3s-io/k3s-ansible.git synced 2025-12-26 00:22:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Security exposure related to the token (#356)

Browse Source 
* Security exposure related to the token

The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

* Restore the server URL into systemd configuration file

There aren't any security implications in keeping it there.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

---------

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
This commit is contained in:
anon-software
2024-09-04 14:02:52 -07:00
committed by GitHub
parent 3e0c982a95
commit 2d98982809
6 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/k3s_agent/tasks/main.yml
View File

@@ -35,6 +35,14 @@
INSTALL_K3S_EXEC: "agent" INSTALL_K3S_EXEC: "agent"
changed_when: true changed_when: true
- name: Add the token for joining the cluster to the environment
no_log: true # avoid logging the server token
ansible.builtin.lineinfile:
path: "{{ systemd_dir }}/k3s-agent.service.env"
line: "{{ item }}"
with_items:
- "K3S_TOKEN={{ token }}"
- name: Copy K3s service file - name: Copy K3s service file
register: k3s_agent_service register: k3s_agent_service
ansible.builtin.template: ansible.builtin.template:

2
roles/k3s_agent/templates/k3s-agent.service.j2
View File

@@ -26,4 +26,4 @@ RestartSec=5s
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service' ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_agent_args }} ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}

15
roles/k3s_server/tasks/main.yml
View File

@@ -86,6 +86,13 @@
line: "{{ item }}" line: "{{ item }}"
with_items: "{{ extra_service_envs }}" with_items: "{{ extra_service_envs }}"
# Add the token to the environment.
- name: Add token as an environment variable
no_log: true # avoid logging the server token
ansible.builtin.lineinfile:
path: "{{ systemd_dir }}/k3s.service.env"
line: "K3S_TOKEN={{ token }}"
- name: Restart K3s service - name: Restart K3s service
when: when:
- ansible_facts.services['k3s.service'] is defined - ansible_facts.services['k3s.service'] is defined
@@ -174,6 +181,14 @@
- (groups[server_group] | length) > 1 - (groups[server_group] | length) > 1
- inventory_hostname != groups[server_group][0] - inventory_hostname != groups[server_group][0]
block: block:
- name: Add the token for joining the cluster to the environment
no_log: true # avoid logging the server token
ansible.builtin.lineinfile:
path: "{{ systemd_dir }}/k3s.service.env"
line: "{{ item }}"
with_items:
- "K3S_TOKEN={{ token }}"
- name: Copy K3s service file [HA] - name: Copy K3s service file [HA]
when: not use_external_database when: not use_external_database
ansible.builtin.template: ansible.builtin.template:

2
roles/k3s_server/templates/k3s-cluster-init.service.j2
View File

@@ -25,4 +25,4 @@ Restart=always
RestartSec=5s RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }}

2
roles/k3s_server/templates/k3s-ha.service.j2
View File

@@ -25,4 +25,4 @@ Restart=always
RestartSec=5s RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_server_args }} ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }}

2
roles/k3s_server/templates/k3s-single.service.j2
View File

@@ -25,4 +25,4 @@ Restart=always
RestartSec=5s RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }}