Project Description

The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.

Features:

  • Warn/Disable/Delete when an exposed token is detected
  • Specify specific repos that you want to watch for exposed tokens
  • Scan private/public repos

Design Overview:

  • Deployed as a helm chart
  • Configuration option for action to be taken on token exposure (warn, disable, delete)
  • Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
  • Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
  • watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
  • The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.

Goal for this Hackweek

Basic Goals:

  • Warn/Disable/Delete when an exposed token is detected
  • Scan public and private repos
  • Helm chart/CRD allowing install/use of basic functionality

Stretch Goals:

  • Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
  • Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)

Resources

Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks

Looking for hackers with the skills:

go helm kuberentes rancher security

This project is part of:

Hack Week 22

Activity

  • 2 months ago: paulgonin liked this project.
  • 2 months ago: mbolot added keyword "kuberentes" to this project.
  • 2 months ago: mbolot added keyword "rancher" to this project.
  • 2 months ago: mbolot added keyword "security" to this project.
  • 2 months ago: mbolot added keyword "go" to this project.
  • 2 months ago: mbolot added keyword "helm" to this project.
  • 2 months ago: mbolot started this project.
  • 2 months ago: mbolot originated this project.

  • Comments

    • mbolot
      about 2 months ago by mbolot | Reply

      Github repo can be found here: https://github.com/MbolotSuse/rancher-token-revoker

    • mbolot
      about 2 months ago by mbolot | Reply

      End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:

      • Warn/disable/delete exposed tokens
      • Scan public/private repos (over https or ssh)
      • Can be installed using helm
      • Can scan entire github organizations.

    Similar Projects

    K3S Control Planes as a service by ademicev0

    [comment]: # (Please use the project descriptio...


    Vai: a Kubernetes API accelerator/cache by moio

    ![Kubernetes API caching layer according to Sta...


    Real-time container runtime support by a_faerber

    [comment]: # (Please use the project descriptio...


    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...


    Humidity sensors with dashboard by joachimwerner

    Build a network of ("edge") humidity sensors...


    Hack on project MONAI (Medical Open Network for Artificial Intelligence) by jordimassaguerpla

    Project Description

    MONAI is a set of o...


    Building a CNF solution for Edge environment by lizhang

    Project Description

    Network managemen...


    image-tools: simple tool for mirror/save/load container images & KDM and chart image list generator. by StarryWang

    [comment]: # (Please use the project descriptio...


    Deploy Uyuni proxy using Elemental and Fleet by cbosdonnat

    Project Description

    Now that Uyuni proxy ...


    Generic Wrangler Controllers by kjoiner

    [comment]: # (Please use the project descriptio...


    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...


    Rancher Manager of Managers with KCP by rcase

    [comment]: # (Please use the project descriptio...


    Create tool for managing RPM package signing keys by dheidler

    [comment]: # (Please use the project descriptio...


    Sandboxed USB Inspection by nguyens

    [comment]: # (Please use the project descriptio...


    Run sandboxed Firefox with image and sound inside a container by nguyens

    [comment]: # (Please use the project descriptio...