-1

I have an containerized JVM application (multiple actually) running on kubernetes, which needs to trust additional custom/private CAs (which are not known beforehand, the application will be deployed in multiple unrelated data-centers that have their own PKI).

The cacerts in the base image are not writable at runtime.

Currently I see these options:

  1. do not provide an option to modify cacerts, force the DCs to manage & inject their own cacert files via container volumes.
  2. make cacerts file writeable at runtime and modify cacerts in entrypoint
  3. do not use JDK TLS - set truststore at "client" level (e.g. CXF)
  4. ...?

Under the assumption the DCs will not run JVM apps only, they will not like to manage cacerts themselves, because cacerts is specific to JVM and they then potentially need to do that for every technology. Thus I do not really like that option.

The second option seems to be a quite pragmatic one - but I suspect that making the cacerts writable at runtime is a bad practice because an attacker could modify configuration s/he should not be able to.

The third option has it's limitations and intricacies because you need to make each each and every client configurable. (In case of CXF for example fetching the initial WSDL file does not seem to covered by CXF but by the JVM...) But this means if your client is not (properly) configurable this does not work.

Thus I am back at option 2.

My questions would be:

Is it a bad practice to have cacerts writeable at runtime?

Is there an option I missed that allows injecting (arbitrary) additional CAs into cacerts without making it writeable at runtime?

Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
ciis0
  • 1

1 Answers1

0

Have you considered a combination of an init container and an emptyDir volume which is readOnly: true in the application container?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
spec:
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
        - name: cacerts
          image: cacerts-importer
          volumeMounts:
            - name: cacerts
              mountPath: /media/cacerts
            - name: cacert-imports
              mountPath: /media/cacert-imports
      containers:
        - name: app
          image: app:v1
          volumeMounts:
            - name: cacerts
              mountPath: /media/cacerts
              readOnly: true
      volumes:
        - name: cacerts
          emptyDir: {}
        - name: cacert-imports
          configMap:
            name: cacert-imports
ciis0
  • 1