Authentication

Canary checker uses the Kubernetes ValuesFrom pattern to retrieve sensitive values like usernames, password and access keys.

Whenever a field uses the EnvVar object type you have the option of specifying the value in 3 ways:

EnvVar

1. Statically in the value field
2. Via a Kubernetes Config Map via the configMapKeyRef field
3. Via a Kubernetes Secret via the secretKeyRef field

Static Values

Using a HTTP health check as an example for static values:

http-basic-auth-static.yaml

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: http-basic-auth
spec:
  http:
    - url: https://httpbin.org/basic-auth/hello/world
      responseCodes: [200]
      authentication:
        username:
          value: hello
        password:
          value: world

Kubernetes Configmaps

To use a configmap, we first need to create the configmap:

kubectl create configmap basic-auth --from-literal=user=hello --from-literal=pass=world -n default

http-basic-auth-configmap.yaml

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: http-basic-auth-configmap
spec:
  http:
    - url: https://httpbin.org/basic-auth/hello/world
      responseCodes: [200]
      authentication:
        username:
          valueFrom:
            configMapKeyRef:
              name: basic-auth
              key: user
        password:
          valueFrom:
            configMapKeyRef:
              name: basic-auth
              key: pass

Kubernetes Secrets

To use a secret, first we create the secret:

kubectl create secret generic basic-auth --from-literal=user=hello --from-literal=pass=world -n default

http-basic-auth-secret.yaml

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: http-basic-auth-configmap
spec:
  http:
    - url: https://httpbin.org/basic-auth/hello/world
      responseCodes: [200]
      authentication:
        username:
          valueFrom:
            secretKeyRef:
              name: basic-auth
              key: user
        password:
          valueFrom:
            secretKeyRef:
              name: basic-auth
              key: pass

Recommendations

Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. With this in mind, it is recommended to implement some level of security to prevent unauthorized access to your Kubernetes secrets. You may consider the following for your encryption and security needs:

• AWS Secrets Manager
• Bitnami Sealed Secrets
• KSOPS
• Enable Encryption at Rest
• Enable or configure RBAC rules