2

I would like to know the security implications of using a bootstrap token that never expires. The reason why I'm considering doing that is that I'm using terraform and my control-plane is in a autoscaling-group, so the credentials required to join a cluster need to be known when the group is created and need to stay valid for as long as the group lives (ie, "forever").

Now, the obvious implication is that anyone that get access to the token and is in my private network can take control of the entire infrastructure, which is pretty bad. That being said, if I go that route, the secrets would be stored in the instance metadata and that metadata would be firewalled to be only accessible by root.

My assumption is that if a user get access to the token it means they are root and would therefore have no use for the tokens anyway. Am I correct? Any other security implications I should consider? Thanks.

MyUsername112358
  • 123
  • 4

1 Answers1

1

Storing secrets in AWS instance metadata for Kubernetes clusters can be very dangerous unless carefully configured. The main risk is that an attacker who can get access to any container running on your cluster, will get access to the metadata service running on 169.254.169.254.

This could happen in a couple of ways. Firstly an attacker who finds a remote code execution vulnerability in one of your containers may be able to use curl or similar from the container to hit the cluster nodes metadata service.

Another possible attack route for this issue would be via Server-Side Request Forgery (SSRF) vulnerabilities in your containers, although using IMDSv2 can help here (reference here)

If you still need to store a privileged secret in AWS Metadata, you can look at mitigations for this risk, like using Network Policies to restrict access to the metadata endpoint from containers, or using something like kube2iam to restrict what AWS metadata access is possible from containers in the cluster.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217