Kubernetes Control Plane Charm

insecure tmp file usage (race on world readable ceph secrets)

Bug #1892235 reported by James Troup on 2020-08-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	Triaged	Medium	Unassigned

Bug Description

charm-kubernetes-master/reactive/kubernetes_master.py: render('ceph-secret.yaml', '/tmp/ceph-secret.yaml', context)

Granted it's a race to read this file, but this still shouldn't be written out as world readable.

Revision history for this message

George Kraft (cynerva) wrote on 2020-08-19:

Thanks for pointing this out. The code is here: https://github.com/charmed-kubernetes/charm-kubernetes-master/blob/5f658e311650c71e86a4e63d49cbc8ec15d0eb9f/reactive/kubernetes_master.py#L1507

This is part of legacy code in the charm to support Kubernetes 1.11 and earlier. We can just remove that whole section, as Kubernetes 1.11 is well outside the range of versions supported by current charms.

Changed in charm-kubernetes-master:
importance:	Undecided → Medium
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.