Limit Vault service account token reads#7786
Conversation
Signed-off-by: Zbynek Roubalik <[email protected]>
|
Thank you for your contribution! 🙏 Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected. While you are waiting, make sure to:
Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient. Learn more about our contribution guide. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
/run-e2e hashicorp passed tests: 1failed tests: 0 |
There was a problem hiding this comment.
Pull request overview
This PR hardens the Vault Kubernetes authentication path by bounding reads of projected service account token files and rejecting non-regular files, preventing potential memory/IO abuse before JWT validation.
Changes:
- Add a maximum size cap for projected service account token reads and enforce it before token validation.
- Reject non-regular token paths (eg, directories).
- Extend tests and adjust Vault handler test expectations to match the updated error behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/scaling/resolver/k8s_validator.go | Adds bounded/validated file reading for projected SA tokens before JWT parsing. |
| pkg/scaling/resolver/k8s_validator_test.go | Adds test coverage for oversize token files and non-regular token paths. |
| pkg/scaling/resolver/hashicorpvault_handler_test.go | Updates expected error substring for missing token path. |
| CHANGELOG.md | Documents the fix in Unreleased fixes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Zbynek Roubalik <[email protected]>
JorTurFer
left a comment
There was a problem hiding this comment.
why 1MB? just random value?
Kinda yes, do you think it is not enough? |
|
Personally, I think it is rather large. But better large than too small. I don't know if it can be made configurable (with a default of, say, 1MB), and whether that is desirable. |
|
/run-e2e hashicorp passed tests: 1failed tests: 0 |
I agree with both statements, when thinking about JWTs, I think of them in order of kb, but having larger limit imho doesn't hurt
I think it's ok either way, unlikely anyone will want to change this up or down so keeping this as constant is good enough |
* Limit Vault service account token reads Signed-off-by: Zbynek Roubalik <[email protected]> * Validate Vault token file after opening Signed-off-by: Zbynek Roubalik <[email protected]> --------- Signed-off-by: Zbynek Roubalik <[email protected]> Signed-off-by: Yurii Shcherbak <[email protected]>
Limits projected service account token reads used by Vault Kubernetes authentication.
The resolver previously read the configured token path without a size bound. This rejects non-regular files and caps the token read before JWT validation.
Checklist
Fixes #7783