Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Kubernetes@1 task generates a kubeconfig file which the HelmDeploy@0 task complains is insecure #19259

Open
3 of 4 tasks
jackmtpt opened this issue Nov 10, 2023 · 4 comments
Open
3 of 4 tasks

[BUG]: Kubernetes@1 task generates a kubeconfig file which the HelmDeploy@0 task complains is insecure #19259

jackmtpt opened this issue Nov 10, 2023 · 4 comments
Labels
Area: Release bug triage

Comments

@jackmtpt
Copy link

Task name

Kubernetes

Task version

1

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Ubuntu 22.04

Task log

Helm task output:

##[error]WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /azp/_work/_temp/kubectlTask/1234/config

Relevant log output

##[error]WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /azp/_work/_temp/kubectlTask/1234/config

Aditional info

To repro:

- task: Kubernetes@1
  inputs:
    connectionType: 'Azure Resource Manager'
    azureSubscriptionEndpoint: your-sub
    azureResourceGroup: your-rg
    kubernetesCluster: your-cluster
    command: 'login'

# This will end up writing a kubeconfig file to a temporary path e.g. /azp/_work/_temp/kubectlTask/1234/config

Then run:

- task: HelmDeploy@0
  inputs:
    connectionType: None
    publishPipelineMetadata: false
    command: upgrade
    namespace: your-ns
    releaseName: some-release
    chartType: FilePath
    chartPath: /path/to/chart

The HelmDeploy task will chmod() the kubeconfig file to 600 but NOT if the connectionType is `None` - which is what the value needs to be in order to authenticate to an AKS cluster using a non-admin service principal (via the Kubernetes@1 task, which calls `kubelogin` to generate the proper kubeconfig file for you). That's irrelevant though, because the kubeconfig shouldn't even be allowed to exist on-disk with insecure permissions.

The bug is the Kubernetes task generating a kubeconfig with insecure mode bits. It should ensure that the file is properly secured BEFORE it writes anything to it, since when `kubelogin` is called with `-l spn` the actual service principal secret is written to the file and could be stolen.
@jackmtpt jackmtpt added the bug label Nov 10, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented May 8, 2024

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

@github-actions github-actions bot added the stale label May 8, 2024
@jackmtpt
Copy link
Author

jackmtpt commented May 8, 2024

Not stale

@github-actions github-actions bot removed the stale label May 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

@github-actions github-actions bot added the stale label Nov 4, 2024
@jackmtpt
Copy link
Author

jackmtpt commented Nov 4, 2024

Not stale

@github-actions github-actions bot removed the stale label Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Release bug triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jackmtpt