Comments (3)
sethvargo
commented on July 20, 2024
The default behavior for Berglas auto (and berglas exec) is to look up the environment as set by the deploying user. Berglas queries the GCP API for Cloud Run and gets the list of envvars set on the service deployment. This protects against a threat where an attacker injects berglas references into environment variables.
I don't quite understand your point about Cloud Functions. Cloud Functions also need viewer permissions on themselves. If the GCF SA has no permissions, neither auto nor exec will work.
If you want to accept the risk of the environment being modified, you can use berglas exec --local which will parse all local vars and won't need viewer permissions. However, even then, the GCF SA would still need permissions to talk to GCS and KMS.
from berglas.
dinvlad
commented on July 20, 2024
I see, thanks - we’re using Berglas with a Python app in Cloud Run, so have to apply berglas exec -- form (in fact, the main reason for our jump from GCF to Run was so that we could use Berglas with Python). That being said, I’ve only tried Berglas in Go locally (which works great), not in a GCF.
The main reason I’m asking is I wanted to avoid granting project-wide Run Viewer to each Run SA. However, I understand that the risk of env injection is also not to be overlooked.
from berglas.
sethvargo
commented on July 20, 2024
Yea if you run berglas exec --local -- CMD then you won't need those viewer permissions.
from berglas.
Related Issues (20)
- berglas: cannot execute binary file: Exec format error HOT 1
- Checksum in sum.golang.org is different from download without proxy/checksum database (GOPRIVATE=*) HOT 7
- Unable to use the mutation webhook method with kubernetes 1.21.5 and admissionregistration.k8s.io/v1 on GKE HOT 11
- Download berglas seems to be broken with exec format error: HOT 1
- Berglas interacts badly with tools that rely on process wrapping like Argo-workflows HOT 3
- About the latest release HOT 2
- 1.0.0 image breaks kubernetes integration HOT 6
- New version not published to https://storage.googleapis.com/berglas HOT 1
- using secret account credentials.json instead of workflow identity HOT 1
- CrashLoopBackOff when setting command in my deployments HOT 2
- version only shows as "source" if i go install HOT 3
- I would like a new release. HOT 1
- Setting KMS key location for golang library
- Mutating webhook does not run if secrets are only set through a configMap HOT 1
- Multiple CVEs in docker image HOT 4
- Please provide new release with newest go version HOT 3
- Support rich JSON secrets
- invalid value "fatal" for log level: no such level "fatal"
- Mutating Webhook setup for K8S is missing HOT 1
- Can't upgrade to version 2.X.X HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from berglas.