k3s-ansible/roles
anon-software 2d98982809
Security exposure related to the token (#356)
* Security exposure related to the token

The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

* Restore the server URL into systemd configuration file

There aren't any security implications in keeping it there.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

---------

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
2024-09-04 14:02:52 -07:00
..
airgap/tasks Don't enable K3s service during airgap install (#345) 2024-07-08 10:58:08 -07:00
k3s_agent Security exposure related to the token (#356) 2024-09-04 14:02:52 -07:00
k3s_server Security exposure related to the token (#356) 2024-09-04 14:02:52 -07:00
k3s_upgrade Make agent and server groups configurable (#331) 2024-06-04 10:06:14 -07:00
prereq Add group variables to the prereq role (#334) 2024-06-10 09:58:06 -07:00
raspberrypi More flexible cgroup settings (#352) 2024-08-15 10:32:22 -07:00