Rancher Token Revoker
an invention by mbolot
Updated over 2 years ago. 1 hackers ♥️. 1 follower.

Project Description

The token revoker aims to scan git repos for exposed rancher tokens. Once a token has been identified, the revoker can (based on configuration) warn/disable/delete the exposed token automatically.

Features:

  • Warn/Disable/Delete when an exposed token is detected
  • Specify specific repos that you want to watch for exposed tokens
  • Scan private/public repos

Design Overview:

  • Deployed as a helm chart
  • Configuration option for action to be taken on token exposure (warn, disable, delete)
  • Custom CRD for repos that the revoker will watch ("watchRepo"/name TBD)
  • Each time a new "watchRepo" is created, we spin off a go routine which, every 5/10/30 seconds (interval TBD, possibly customizable by user in the CRD or in the chart) scans the repo for exposed tokens.
  • watchRepo should also store configuration allowing the revoker to access private repos (probably a reference to a secret containing ssh key allowing access)
  • The actual logic to scan for a secret should probably utilize an established opensource project such as https://github.com/zricethezav/gitleaks . We can also contribute upstream by adding a pattern for rancher tokens, allowing a wider benefit to the work done for this project.

Goal for this Hackweek

Basic Goals:

  • Warn/Disable/Delete when an exposed token is detected
  • Scan public and private repos
  • Helm chart/CRD allowing install/use of basic functionality

Stretch Goals:

  • Scan/specify organizations for larger git providers (i.e. scan an entire Github/Gitlab org)
  • Scan Output of CI pipelines (probably for popular providers like drone/travis/circle-ci/github-actions/gitlab-runners)

Resources

Upstream project that we can utilize for some of our functionality: https://github.com/zricethezav/gitleaks

Looking for hackers with the skills:

go helm kuberentes rancher security

This project is part of:

Hack Week 22

Activity

  • over 2 years ago: paulgonin liked this project.
  • over 2 years ago: mbolot added keyword "kuberentes" to this project.
  • over 2 years ago: mbolot added keyword "rancher" to this project.
  • over 2 years ago: mbolot added keyword "security" to this project.
  • over 2 years ago: mbolot added keyword "go" to this project.
  • over 2 years ago: mbolot added keyword "helm" to this project.
  • over 2 years ago: mbolot started this project.
  • over 2 years ago: mbolot originated this project.


    • Comments

    • mbolot
      over 2 years ago by mbolot | Reply

      Github repo can be found here: https://github.com/MbolotSuse/rancher-token-revoker

    • mbolot
      over 2 years ago by mbolot | Reply

      End of Hack Week update: I was able to get done with all basic goals and the github org scanning stretch goal, meaning that the revoker can:

      • Warn/disable/delete exposed tokens
      • Scan public/private repos (over https or ssh)
      • Can be installed using helm
      • Can scan entire github organizations.

    Similar Projects

    Rancher/k8s Trouble-Maker by tonyhansen

    Project Description

    When studying for my RHCSA, I found trouble-maker, which is a program that breaks a Linux OS and requires you to fix it. I want to create something similar for Rancher/k8s that can allow for troubleshooting an unknown environment.

    Goals for Hackweek 25

    • Update to modern Rancher and verify that existing tests still work
    • Change testing logic to populate secrets instead of requiring a secondary script
    • Add new tests

    Goals for Hackweek 24 (Complete)

    • Create a basic framework for creating Rancher/k8s cluster lab environments as needed for the Break/Fix
    • Create at least 5 modules that can be applied to the cluster and require troubleshooting

    Resources

    • https://github.com/celidon/rancher-troublemaker
    • https://github.com/rancher/terraform-provider-rancher2
    • https://github.com/rancher/tf-rancher-up
    • https://github.com/rancher/quickstart