Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

services: reject node secret for Read/List RPC #23910

Merged
merged 1 commit into from
Sep 5, 2024
Merged

services: reject node secret for Read/List RPC #23910

merged 1 commit into from
Sep 5, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented Sep 4, 2024
edited
Loading

As of Nomad 1.5.0, Nomad clients never make RPC requests to the ServiceRegistrationList/Read RPC without using a specific Workload Identity rather than the node secret. Nomad servers already have an anti-entropy behavior where terminal allocations / lost nodes get their services cleaned up, so there's no future reason for clients to have this access. Tighten the ACL permissions on these RPCs so that node secrets are no longer valid tokens.

Ref: https://hashicorp.atlassian.net/browse/NET-10009
Ref: https://developer.hashicorp.com/nomad/docs/release-notes/nomad/upcoming#nomad-1-9-0

@tgross tgross added this to the 1.9.0 milestone Sep 4, 2024
@tgross tgross force-pushed the service-reg-listread-node-secrets branch 2 times, most recently from 5d240b8 to a85de0f Compare September 4, 2024 14:11
@tgross
services: reject node secret for Read/List RPC
af863a3 
As of Nomad 1.6.0, Nomad clients never make RPC requests to the
ServiceRegistrationList/Read RPC without using a specific Workload Identity
rather than the node secret. Tighten the ACL permissions on these RPCs so that
node secrets are no longer valid tokens.

Ref: https://hashicorp.atlassian.net/browse/NET-10009
Ref: https://developer.hashicorp.com/nomad/docs/release-notes/nomad/upcoming#nomad-1-9-0
@tgross tgross force-pushed the service-reg-listread-node-secrets branch from a85de0f to af863a3 Compare September 4, 2024 14:34
@tgross tgross marked this pull request as ready for review September 4, 2024 15:08
gulducat
gulducat approved these changes Sep 5, 2024
View reviewed changes
Copy link
Member

@gulducat gulducat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@tgross tgross merged commit 04ad716 into main Sep 5, 2024
19 checks passed
@tgross tgross deleted the service-reg-listread-node-secrets branch September 5, 2024 17:52
@tgross tgross mentioned this pull request Sep 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gulducat gulducat gulducat approved these changes

@jrasell jrasell Awaiting requested review from jrasell

@Juanadelacuesta Juanadelacuesta Awaiting requested review from Juanadelacuesta

Assignees
No one assigned
Labels
theme/auth theme/service-discovery/nomad type/enhancement
Projects
None yet
Milestone
1.9.0
Development

Successfully merging this pull request may close these issues.
2 participants
@tgross @gulducat