Securing cloud_provider credentials

#1

Hello.

We deployed the latest rancher:v2.1.6 three node HA setup and used that one to successfully create a workload cluster with k8s v1.11.6 for us in OpenStack with Node Templates. Then we configured the openstack cloud_provider in that workload cluster using Stack/Edit/Edit as Yaml. Everything is working nicely.

Now I needed to make sure people can start using the cluster without getting their hands on the OpenStack service accounts I used there. Nice thing, a user with only View/Manage Nodes was able to press the “+” button and add more workers to k8s whereas the Node Template was sitting in the admin user’s profile and was not visible by the regular user.

Unfortunately however I was not able to secure the password for cloud_provider. As long as a user has even minimal permissions to the cluster (i.e. “Login Access” in global + nothing in cluster + “View Workloads” in a project), such user is able to click “View in API” on the cluster and the resulting json shows all the credentials.

I wonder if it’s just me or not, and whether anything can be done about it and if I should open a bug report for this one?

Thank you,
Anthony

#2

I tested that the same happens with Rancher v2.2.1 and opened this issue https://github.com/rancher/rancher/issues/19653

For now, the workaround is creating clusters with RKE and importing them to Rancher and avoid using the ones created by Node driver or as Custom cluster.

#3

Thank you Team Rancher for a quick resolution to this issue. The code has now been merged to master so I believe we would see this password hidden from us in release 2.2.3