Unverified Commit 2d989828 authored by anon-software's avatar anon-software Committed by GitHub
Browse files

Security exposure related to the token (#356) 

* Security exposure related to the token

The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io

) does.

Signed-off-by: default avatarMarko Vukovic <8951449+anon-software@users.noreply.github.com>

* Restore the server URL into systemd configuration file

There aren't any security implications in keeping it there.

Signed-off-by: default avatarMarko Vukovic <8951449+anon-software@users.noreply.github.com>

---------

Signed-off-by: default avatarMarko Vukovic <8951449+anon-software@users.noreply.github.com>
parent 3e0c982a

roles/k3s_agent/tasks/main.yml

+8 −0
Original line number Diff line number Diff line
@@ -35,6 +35,14 @@ 
        INSTALL_K3S_EXEC: "agent"

      changed_when: true



    - name: Add the token for joining the cluster to the environment

      no_log: true # avoid logging the server token

      ansible.builtin.lineinfile:

        path: "{{ systemd_dir }}/k3s-agent.service.env"

        line: "{{ item }}"

      with_items:

        - "K3S_TOKEN={{ token }}"



- name: Copy K3s service file

  register: k3s_agent_service

  ansible.builtin.template:

roles/k3s_agent/templates/k3s-agent.service.j2

+1 −1
Original line number Diff line number Diff line
@@ -26,4 +26,4 @@ RestartSec=5s 
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'

ExecStartPre=-/sbin/modprobe br_netfilter

ExecStartPre=-/sbin/modprobe overlay

ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_agent_args }}
 
ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}

roles/k3s_server/tasks/main.yml

+15 −0
Original line number Diff line number Diff line
@@ -86,6 +86,13 @@ 
        line: "{{ item }}"

      with_items: "{{ extra_service_envs }}"



    # Add the token to the environment.

    - name: Add token as an environment variable

      no_log: true # avoid logging the server token

      ansible.builtin.lineinfile:

        path: "{{ systemd_dir }}/k3s.service.env"

        line: "K3S_TOKEN={{ token }}"



    - name: Restart K3s service

      when:

        - ansible_facts.services['k3s.service'] is defined
@@ -174,6 +181,14 @@ 
    - (groups[server_group] | length) > 1

    - inventory_hostname != groups[server_group][0]

  block:

    - name: Add the token for joining the cluster to the environment

      no_log: true # avoid logging the server token

      ansible.builtin.lineinfile:

        path: "{{ systemd_dir }}/k3s.service.env"

        line: "{{ item }}"

      with_items:

        - "K3S_TOKEN={{ token }}"



    - name: Copy K3s service file [HA]

      when: not use_external_database

      ansible.builtin.template:

roles/k3s_server/templates/k3s-cluster-init.service.j2

+1 −1
Original line number Diff line number Diff line
@@ -25,4 +25,4 @@ Restart=always 
RestartSec=5s

ExecStartPre=-/sbin/modprobe br_netfilter

ExecStartPre=-/sbin/modprobe overlay

ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} 
 No newline at end of file
 
ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }}

roles/k3s_server/templates/k3s-ha.service.j2

+1 −1
Original line number Diff line number Diff line
@@ -25,4 +25,4 @@ Restart=always 
RestartSec=5s

ExecStartPre=-/sbin/modprobe br_netfilter

ExecStartPre=-/sbin/modprobe overlay

ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_server_args }} 
 No newline at end of file
 
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }}