Cache private keys for upstream servers from Kubernetes
vholer opened this issue · 1 comments
When public key authenticated session is being estabilished from downstream to sshpiper, the Kubernetes control plane is not directly queried, as the Kubernetes client in sshpiper listens to the changes in Pipe CRDs and fetches/caches them as they happen. After that, when second connection is being established from sshpiper to final upstream server, the sshpiper always fetches the fresh SSH private key.
It might be nice to have an (switchable) option to listen/cache these SSH private key Secrets as well.
sshpiper/plugin/kubernetes/kubernetes.go
Line 166 in 212ea32
USE CASE:
- valid, but malicious, user might try to DoS Kubernetes control plane by logging in a loop
- Kubernetes control plane maintenance/upgrade makes the service unavailable
i remember why i did not use lister/cacher for secrets. it is to restrict access to get within same ns only
https://kubernetes.io/docs/concepts/security/secrets-good-practices/#least-privilege-secrets