Controller Component Threat Model #60
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ytimocin
force-pushed
the
ytimocin/threat/controller
branch
from
a9e6911 to
0ae21ad
Compare
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
rynowak
reviewed
Aug 9, 2024
ytimocin
force-pushed
the
ytimocin/threat/controller
branch
3 times, most recently
from
cad2565 to
d280848
Compare
ytimocin
changed the title
kachawla
reviewed
Aug 13, 2024
architecture/2024-08-controller-component-threat-model/controller-component.png
Outdated
Show resolved
Hide resolved
ytimocin
commented
Aug 13, 2024
lakshmimsft
reviewed
Aug 13, 2024
kachawla
reviewed
Aug 13, 2024
kachawla
reviewed
Aug 13, 2024
kachawla
reviewed
Aug 13, 2024
rynowak
reviewed
Aug 13, 2024
kachawla
reviewed
Aug 13, 2024
kachawla
reviewed
Aug 13, 2024
ytimocin
force-pushed
the
ytimocin/threat/controller
branch
3 times, most recently
from
3498c5b to
8e36962
Compare
ytimocin
requested review from
rynowak,
kachawla,
nithyatsu,
lakshmimsft,
brooke-hamilton,
sylvainsf,
willdavsmith and
nicolejms
brooke-hamilton
approved these changes
Sep 27, 2024
rynowak
reviewed
Sep 27, 2024
|
|
||
| #### Data Serialization / Formats | ||
|
|
||
| We use custom parsers to parse Radius-related resource IDs and do not use any other custom parsers and instead rely on Kubernetes built-in parsers. Therefore, we trust Kubernetes security measures to handle data serialization and formats securely. The custom parser that parses Radius resource IDs has its own security mechanisms that don't accept anything other than a Radius resource ID. |
There was a problem hiding this comment.
We should have an action item to do fuzz-testing on the resource ID.
Custom format + untrusted data -> do fuzz testing.
rynowak
reviewed
Sep 27, 2024
|
|
||
| ## Action Items | ||
|
|
||
| 1. Use a hashing algorithm other than SHA-1 while computing the hash of the configuration of a Deployment object. This is a breaking change because deployments that are already hashed with SHA1 should be redeployed so that reconciler can work as expected. |
There was a problem hiding this comment.
This isn't a breaking change, we'd just do extra work 😆
rynowak
reviewed
Sep 27, 2024
| 1. Use a hashing algorithm other than SHA-1 while computing the hash of the configuration of a Deployment object. This is a breaking change because deployments that are already hashed with SHA1 should be redeployed so that reconciler can work as expected. | ||
| 2. Check if RBAC with Least Privilege is configured for every component to ensure that each component has only the permissions it needs to function. Make changes to the necessary components if required. | ||
| 3. Define and implement necessary Network Policies to ensure that communication is accepted only from expected and authorized components. Regularly review and update these policies to maintain security. | ||
| 4. Containers should run as a non-root user wherever possible to minimize the risks. Check if we can run any of the Radius containers as non-root. Do the necessary updates. |
There was a problem hiding this comment.
I'd prefer that these "review" items be handled as part of the threat model review.
For example:
Check if RBAC with Least Privilege is configured for every component to ensure that each component has only the permissions it needs to function.
The threat model is the right place for us to define the "permissions each component needs to function". It doesn't make sense to push this work out of the threat model.
Containers should run as a non-root user wherever possible to minimize the risks. Check if we can run any of the Radius containers as non-root.
This is just scratching the surface in terms of policies applied to our components 😆. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/#policy-instantiation
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
…lso the threat model Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
…ng some of them as discussed in the design meeting Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
Signed-off-by: ytimocin <[email protected]>
ytimocin
force-pushed
the
ytimocin/threat/controller
branch
from
8e36962 to
b945030
Compare
Signed-off-by: ytimocin <[email protected]>
rynowak
approved these changes
Sep 27, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding the threat model doc for the controller component.