Skip to content

Potential security risk using Openshift Connection Service #224

Description

@DamianBacalov

When using the Task "Execute OC command" with Openshift Connection Service, the module uses the kubeconfig placed in the home folder. This is a security risk for several reasons:
. The information is not deleted when the execution ends. This means that the kubeconfig has all the service accounts credentials on it and anyone can create a pipeline to see it.
. If two pipelines starts in parallel the second pipeline overwrites the information causing the first one will be using a wrong connection
. In the previous scenario, one pipeline could starts deploying objects in one cluster and ends in another cluster

The solution could be to use a kubeconfig placed in the same cloned folder (which is exclusive for the execution).

I think the problem is in the file "src/oc-auth.ts" line 135. I'm attaching a screenshot.

Thanks!
D.

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions