►
From YouTube: Spinnaker Security SIG - Jason McIntosh, Armory
Description
Spinnaker Security SIG - Jason McIntosh, Armory
Join Jason McIntosh from Armory for an open discussion around security in Spinnaker and related security issues. Recent CVEs, RBAC, authentication/authorization, and any other security topic!
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
Let's
go
ahead
and
get
started,
threw
up
a
poll,
and
this
is
just
a
simple
kind
of
thing
to
get
started.
Sig
security
covers,
you
know,
sort
of
security
around
spinnaker.
A
lot
of
what
we
deal
with
in
the
sig
is
just
simple
things
like
hey.
We
get
an
email,
there's
a
vulnerability
disclosed
or
hey.
We've
detected
some
issue
on
the
website.
What
does
that
all
mean?
How
do
we
answer
it?
The
security
sig
is
designed
to
answer
some
of
those
questions
in
the
operational
aspects
of
spinnaker
from
a
security
perspective.
A
So
simple
example,
we
got
an
email
the
other
day,
hey
our
build
system
is
potentially
vulnerable
to
a
domain
subdomain
takeover,
so
security
sig
investigated
realized.
Oh
yeah,
it's
not
actually
an
issue
because
one
it's
an
a
record,
it's
not
a
c
name
and
it
actually
works
on
https,
not
http,
so
that
wasn't
actually
a
vulnerable.
A
We
also
tend
to
respond
to
github
issues,
so
we
look
at
any
security
issues
reported
and
that
can
be
configuration
that
can
be
oh
questions
around
the
arbac
model.
Changes
to
the
arbec
model,
an
example
of
those
there's,
a
discussion
lately
around
whether
or
not
changing
the
permissions
for
the
ui
on
who
can
make
infrastructure
changes
was
appropriate
or
not,
and
that
went
through
a
couple
of
different
discussion
points.
A
A
So
that's
what
the
security
sig
does
were,
one
of
obviously
even
multiple
stakes,
so
I
threw
out
a
poll-
and
this
is
a
reminder
of
birds
of
a
feather
session.
So
it's
a
little
bit
of
hey.
Let's
talk
security
and
let's
have
a
conversation
around
security,
but
to
have
a
conversation.
I'd
like
to
know
what
people
are
looking
to
know
about,
so
that
can
be
a
couple
of
different
topics,
including
hey
our
back
of
spinnaker.
It
can
be,
you
know,
hey
how
to
use
spinnaker
to
you
know
improve
your
security.
A
A
I
think
the
poll
is
up
so
I'll.
Let
people
hopefully
join
and
ask
some
questions.
I
don't
want
to
just
sit
here
and
randomly
talk
about.
A
A
B
B
A
B
A
Go
ahead
and
start
on
maybe
the
our
back
model
in
spinnaker
and
again
I
said:
if
anybody
has
any
questions,
answers
feel
free
to
ask.
I
will
happily
do
my
best
to
answer
on
any
topic
around
security.
So
but
let's
start
off
with
a
simple
hello
world
sort
of
example,.
A
Spinnaker's
securities
in
the
arbec
model
is
really
broken
around
in
two
key
areas.
Your
account
permissions,
which
is
a
targeted
aws
account
or
a
targeted
docker
environment,
for
example,
or
a
kubernetes
cluster
and
spinnaker
abstracts
that
into
a
spinnaker
name
for
the
account
like
you
could
call
it
bob
and
that
talks
to
ek
is
cluster
x.
A
When
you
call
spinnaker
account
bob,
you
can
set
up
permissions
for
bob
who,
in
there
is
allowed
to
access
to,
read
and
or
write
to
bob
note
that
these
are
not
inherited.
So
if
you
do
write
but
not
read,
they
could
deploy,
but
they
wouldn't
be
able
to
tell
the
status
of
that
deployment.
So
generally,
you
want
both
read
and
write
if
you're
going
to
allow
right
operations
to
give
you
posture.
A
So
what
does
that
actually
entail?
Spinnaker's
permissions
model
is
entirely
group
based
role-based.
It
does
not
actually
grant
permissions
to
an
individual
user,
so
it
is
entirely
based
upon
a
set
of
groups.
Groups
can
come
from
saml
confirm,
ldap
spinnaker
will
automatically.
You
know,
use
any
of
the
groups
that
you
have
it
configured
for
now.
You
can
come
in
through
the
assertion.
I.E,
an
oauth
claim
you
can
come
in
through
a
sample
assertion
or
you
can
do
an
external
lookup
for
group
information
to
match
a
user
id
based
upon
the
login
username.
A
Those
external
sources
are
very
limited
in
what
they
are
all
that
being
probably
one
of
the
most
common
you
can
do,
ldap
to
open,
ldap,
active
directory,
etc.
It's
spring
security
frameworks
under
the
hood,
so
it
works
with
the
ldap
template
like
libraries,
the
group
information
once
it's
there,
that
is
used
for
how
you
can
assume
or
how
you
can
assign
permissions
to
your
accounts.
A
Now,
that's
just
read
writer
accounts
that
does
not
impact
whether
a
user
is
allowed
to
do
other
operations
through
the
ui
that
only
impacts
whether
or
not
they
can
deploy
or
list
say
services
in
a
cluster
application.
Permissions
are
the
other
aspect
of
spinnaker's
rbac
model
application
permissions.
A
Let
people
control
things
like
hey
apps
named
bob
or
jane,
or
you
know,
foo
hey,
who
can
read,
write
or
execute
stages
and
pipelines
in
that
given
application,
but
just
because
a
person
can
actually
execute
and
trigger
a
pipeline
does
not
mean
that
that
pipeline
can
deploy
to
anything.
So
you
can
grant
person
or
a
team.
I
should
say
permissions
all
day
long,
but
they
wouldn't
actually
be
able
to
deploy
anything.
A
So
what
does
that
look
like?
Let
me
bring
up
a
real,
quick
demo
app
here
and
I'll.
Show
you
a
simple
example
that
we
use
internally.
This
is
pretty
much
a
basic.
A
Here's
a
hello
world,
app,
very
basic
hello
world,
app
spinnaker
when
you
create
a
given
application,
an
application
is
just
an
abstraction
around
the
name.
All
it
does
is
let
you
set
things
like
hey.
What
accounts?
Could
I
use
for
deployments
some
basic
things,
but
you
also
note
hey,
there's
some
permissions.
A
These
permissions
come
from
whatever
your
auth
provider
is,
and
you
can
configure
them
pretty.
Simply
you
can
see
up
here.
I
can
set
read
only
read
and
execute
or
read,
write
and
execute
execute
lets
you,
fire
pipelines,
read
lets
you
read
all
of
it
and
write
actually
lets.
You
update
your
pipelines
very
simple
permissions,
but
again
only
impacts
this
application.
A
There's
this
handy
little
question
mark
that
explains
some
of
these.
There
now
note
to
use
these
permissions.
You
have
to
have
group
permissions,
turned
on
and
enabled,
if
you
don't
you're,
not
going
to
get
permissions,
so
you
generally
want
both
drop
down.
You'll
note:
these
are
groups.
This
is
actually
coming
from
a
github
org
as
an
example.
A
Basic
basic
permissions,
but,
as
said
just
because
you
have
permissions
here,
does
not
grant
you
permissions
to
actually
deploy
an
app
that
comes
from
a
very
different
spot.
If
we
look,
let's
see
if
this
will
follow
here,
we
document
those
permissions
in
spinnaker.io,
and
if
we
come
in
here
in
your
setup,
there
is
set
up
spinnaker.
There
is
a
security
and
I'll
just
get
a
security
authorization
and
authentication.
A
A
We
also
support
github
teams,
google
groups,
any
of
these
can
be
sources
for
group
information.
You
can
actually
do
ldap
or
sorry
oauth
groups
as
well.
If
the
oauth
claim
includes
a
role
assertion
as
part
of
the
claim,
this
page
documents
here
the
breakdown-
and
you
can
see-
I
just
mentioned-
like
your
application.
Permissions
are
not
the
same
as
your
account
permissions,
and
I
said
it's
open
by
default.
A
If
you
don't
define
it,
anybody
can
do
it.
So
a
general
rule
you're
going
to
want
to
set
permissions.
There
is
a
super
admin.
You
can
add
to
your
fiat,
which
is
the
permission
system
that
lets
them
do
anything.
So
you
can
say,
hey
group,
you
know
bob
is
allowed
to
do
anything
in
spinnaker.
Agree
will
completely
bypass
your
permissions
requirements.
We
document
here
and
I'm
not
going
to
read
through
your
docs,
we
document,
you
know
some
of
the
different
permissions
models
and
some
of
the
things
that
we've
just
talked
about.
A
There
are
a
couple
things
I
do
want
to
highlight
down
here.
These
are
controls
around
your
api,
so
you
can
always
investigate
by
right-clicking
and
you'll,
see
403
forbidden
in
your
development
console
when
it
talks
to
the
api
models.
So
hey
you
wanted
to
access
any
given
application.
The
api
is
where
the
permissions
are
managed.
A
When
we
have
a
pipeline,
you
can
configure
a
pipeline
to
actually
fire
an
automated
trigger
and
run
as
a
custom
permission.
I
don't
have
it
configured
in
this
environment
the
way
it
would
normally
do.
But
if
we
said
oh
yeah,
hey
every
execute
five
minutes.
You
can
set
this
to
run
as
a
service
account.
A
service
account
is
not
a
real
user
in
spinnaker,
it
is
just
an
abstraction
around
a
set
of
groups.
A
A
Now
here's
an
interesting
thing
that
we'll
hear
on
occasion
and
again,
please
feel
free
to
speak
up
and
ask
questions
on
any
of
these
permissions
elevation.
So
imagine
you
have
a
change
control
process,
I.e.
You
want
to
be
able
to
say:
oh
yeah,
the
development
teams
can
trigger
pipelines
all
day
long,
but
we
don't
want
them
to
deploy
to
an
account
without
the
account
going
through
a
change
management
approval
process.
A
A
You
can
propagate
your
authentication,
which
basically
will
change
the
permissions
on
follow-on
stages
to
use
the
permissions
of
whoever
approved
the
stage.
So,
for
example,
I
could
say
propagate
permissions
and
in
the
rest
of
the
stages
iea
deploy
stage.
If
I
had
a
deploy,
manifest
stage
would
actually
use
the
permissions
of
whoever
clicked
the
manual
judgment.
This
lets
you
have
one
team
trigger
a
pipeline
to
do
like
a
dev
deploy,
for
example,
and
then
a
manual
judgment
from
a
change
management
team
to
approve
it
for
a
production,
deploy
and
use
different
permissions.
A
A
So
that's
the
rough
outlines
of
the
pipeline
permissions
model
now
you're
not
going
to
see
your
target
permissions
in
here
I.e.
If
I
picked
an
account
like
one
of
our
internal
accounts,
I
wouldn't
see
the
permissions
that
that
account
is
set
up
with,
but
I
would
only
see
accounts
that
I
am
authorized
to
access
when
I
would
come
into
this
ui
and
pick
this
drop
down.
A
There
are
apis
that
let
you
query
this
and
see
the
permissions
on
this,
but,
as
a
general
rule,
you're
not
going
to
see
this
in
here.
This
is
going
to
be
in
your
config
file.
So
up
in
here,
you
can
do
it
through
a
couple
different
places,
I'm
going
to
real
quick,
bring
up
the
documentation
that
we
use
operator.
This
is
our
armory
docks
I
tend
to
like
going
over
here.
A
Permissions
you'll
read,
write,
execute
and
actually
I
forgot
create
was
added
fairly
recently,
but
I
don't
remember
if
it's
supported
for
all
of
them
like
it
is
yeah
it's
it
should
be
on
all
of
them.
A
B
B
A
Trying
to
find
the
link
for
where
it
is,
and
I
am
blind
there's
when
you're
configuring
these
you
can
set
the
permissions
for
the
accounts
from
a
model
perspective
here.
It
is
write
permissions,
for
example,
and
this
lets
you
control
when
you
add
the
account
to
spinnaker
what
permissions
are
set
at.
That
point
always
always
recommend
doing
one
of
those
if
you're
using
an
operator,
it's
just
adding
underneath
these
appropriate
ones
the
both.
A
Now
again,
the
reminder
is
read
and
write.
You
want
both,
because
various
stages
will
fail
because
they
will
be
able
to
get
the
status
of
a
deployment.
If
you
do
not
have
read
permissions
as
well
as
write
permissions.
A
A
A
Gotta
love
on
the
fly
here.
It
is
restrict
application
creation.
So
one
of
the
things-
and
I
think
it's
in
220-
it's
in
227,
there's
a
permissions
model.
It
was
in
a
newer
version
and
I'd
have
to
go
back
and
find
the
version
where
you
can
actually
restrict
whether
or
not
your
users
are
allowed
to
create
an
application.
A
A
A
These
are
getting
to
the
details
of
you
have
to
be
able
to
configure
it
directly,
but
you
can
control,
for
example,
pretty
low
level
things
like
oh
yeah,
here's
tomcat
properties
or
spring
properties
by
using
these
one
of
the
things
you
can
do,
though,
is
with
this
low-level
config
control,
who
can
create
on
a
given
wildcard
it's
prefix,
based,
for
example,
any
app
named
app
test.
You
can
use
this
to
also
apply
to
star
to
apply
all
and
that
would,
for
example,
prevent
people
from
being
able
to
create
applications.
A
You
know
your
company,
I
don't
want
to
tell
you
how
to
run
that,
but
spinnaker
grants
a
great
deal
of
flexibility
on
this
application
model.
B
A
A
I
don't
know
that
this
particular.
If
I
pick
up
an
actions
demo
or
one
of
our
other
demos.
A
A
Here
let
me
actually
just
bring
up
the
spinnaker
app
itself.
I
believe
I've
got
some
clusters
here.
Okay,
so
when
you
have
read
permissions
to
an
account,
you
can
pull,
like
instance,
ids
now,
in
this
particular
case,
there's
not
a
lot
of
data
here.
That
may
be
relevant,
but
you
are
potentially
exposing
information
that
you
may
not
intend
so,
as
a
rule
be
cautious
on
it
and
that's
really
an
organization
specific
question,
but
it
is
something
that
you
do
want
to
be
cognizant
of.
A
Is
this
clusters
tab
when
you
get
read
access
grants
access
to
this
account,
for
example,
this
is
like
our
dev
account,
so
I
can
get
into
any
of
the
details,
including
config
maps
or
other
things.
Now
I
wouldn't
be
able
to.
Unless
I
had
right,
do
modifications
to
that
account.
A
A
Answer
one
of
my
other
questions
that
I
tossed
in
the
poll
secrets
spinnaker
oh
pipeline
permissions,
there's
a
good
one.
Okay,
let's
talk
about
this.
Let
me
document
it
over
here,
there's
two
types
of
permissions
in
spinnaker
for
what
we
call
automated
triggers
and
if
we
come
back
here,
if
we
remember,
I
had
my
hello
world.
A
A
How
do
you
control
when
a
pipeline
executes
what
permissions
the
pipeline
executes
with
from
an
automated
trigger,
whether
that's
cron
somebody
did
a
git
pumish,
there's
a
new
home
chart
or
a
jenkins
job?
Any
of
these,
your
pipeline
permissions
and
your
service
accounts
are
controlling
this.
Now
a
service
account
is
just,
as
I
said
earlier,
a
wrapper
around
a
set
of
groups,
the
trigger
trick
with
a
service
account.
You
have
to
pre-create
them
directly,
calling
the
internal.50,
url
and
you'll.
A
A
A
Here's
what
this
does
pipeline
permissions
automatically
will
create
a
service
account
for
you
when
you
save
a
pipeline.
What,
instead,
will
do
is
it'll
change.
This
run
as
user
to
be
the
roles
that
you
you
again,
you
have
to
be
a
member
of
those
roles
to
be
able
to
assign
it
that
you
want
to
run
your
pipeline
with
now.
What
does
that?
Do?
I
said
it
when
you
save
it,
it
will
actually
create
a
dedicated
service
account
for
your
pipeline
associated
with
it
using
a
uid,
here's,
the
good
and
bad
to
that.
A
A
A
So
you
don't
have
a
duplicated
set
of
permissions
for
multiple
different
pipelines,
but,
as
a
general
rule
up
until
those
releases,
you
would
have
a
situation
where
imagine
you
had
10
000
different
pipelines
all
with
the
same
permissions,
you
would
end
up
with
10
000
service
accounts
that
abstract
each
one
of
those
that
includes
a
whole
lot
of
lookups.
That
also
impacts
your
synchronization
permissions,
so,
but
it
makes
it
much
simpler
to
configure
what
your
pipeline
will
run.
A
For
example,
you
know
if
I
were
targeting
aws
you're,
not
going
to
know
the
permissions
of
the
account
you're
deploying
to
we
don't
expose
that,
although
I
believe
again,
the
api
does
expose
it.
A
So
you'd
have
to
know
to
look
at
the
apa
to
know
what
permissions
the
account
is
set
up
with
so,
but
I
find
this
to
be
pretty
useful.
I
like
it,
but
it
is
two
different
models.
A
The
advantage
to
service
accounts
is
typically
admins
will
do
it
and
set
up
a
set
of
pre-baked
ones,
but
you're
not
always
going
to
be
able
to
assign
it,
because
you
may
not
have
the
permissions
to
do
so,
whereas
with
pipeline
permissions,
anybody
can
create
these
and
then
control
and
restrict
permissions
on
their
pipelines,
good
and
bad
to
both
it's
really
tied
to.
However,
you
want
to
manage
these
there's
an
automated
migration.
If
you
end
up
going
with
the
pipeline
permissions,
it's
a
newer
feature.
A
There
is
a
couple
of
caution
flags
I
hear
if
you
have
yeah
I'll,
just
let
you
read
through
this
doc
versus
going
through
it,
because
there
is
some
impact
of
hey
of
the
roles
and
where
okay,
you
have
to
be
a
member
of
all
the
groups
afterwards
to
be
able
to
edit
a
pipeline.
So
if
your
roles
change,
you
may
have
to
reset
some
of
the
permissions
on
a
pipeline
on
some
of
the
stuff.
A
A
A
If
I
remember
at
your
ci
and
if
you
look
here
at
like
your
jenkins,
you
can
set
your
read
and
write
permissions
on
your
ci.
So.
A
Any
of
your
ci
servers
it
it's
your
artifact
triggers
that
you
can't
control
the
permissions
on.
So
there
is
an
interesting
gotcha
and
a
caution
of
hey.
If
you
set
up
a
you
know,
artifact
account
responding
to
example,
a
private
home
repo,
be
aware
that
anybody
in
your
spinnaker
can
then
trigger
off
of
that
prime
or
that
helm
repo
and
pull
your
helm.
B
A
Not
too
much
of
an
issue,
but
that
one
is
one:
that's
not
really
advertised
as
a
yeah,
hey,
here's
the
risk
for
it.
A
A
Security
here
it
is
your
api
and
ui
ui
is
deck.
It's
static,
javascript
files
matter
of
fact,
you
can
go
to
any
spinnaker
and
you
can
look
at
it.
It's
just
static
files,
it's
relevant
because
that
can
impact
like
redirect
urls
and
certain
other
things,
and
what
features
are
enabled
you
can
go
to
any
spinnaker
and
look
at
those.
It
does
not
impact
and
store
any
secret
data
in
and
of
itself.
A
A
A
I'm
trying
to
see
if
I
have
any
of
them:
bookmarked
nope,
just
some
recent
cds-
I
was
doing
currently
most
of
the
cds-
are
published
in
netflix
security
bulletins
in
the
advisories
here,
we're
looking
at
potentially
moving
that
over
into
the
spinnaker
repo,
but
in
the
past.
This
is
where
we
have
published
these.
A
I'm
trying
to
think
if
this
is
nope.
I'd
have.
A
Here
we
go.
This
is
an
example
where
hey
there
was
a
server-side
request,
forgery
on
pipeline
templates.
This
was
you
can
see
here
on
orca
versions.
This
is
published
in
september
of
this
last
year.
A
I
distinctly
remember
this
one
because
it
was
tied
to
some
of
the
ammo
processing
on
templates,
so
security
sig
will
typically
announce
these
through
the
announcements
distribution
list.
The
way
these
will
actually
happen
is
we'll
get
a
report
of
a
vulnerability
we
will
respond
to
internally.
On
this
matter
of
fact,
there
is
a
policy.
A
A
I
do
have
to.
What
do
you
expect?
Hey,
we
give
credits,
it's
an
open
source.
We
don't
really
pay
anybody
for
this.
We
do
issue
thanks
and
we've
done
that
a
couple
times.
You
know
when
we're
allowed
to
give
credit
to
the
reporter.
A
So
what
does
this
happen?
So
the
first
thing
is:
send
it
to
security
at
spinnaker.
Io
security
sig
is
on
this
and
then
there's
some
internal
communications
that
that
triggers
we
end
up
going
through
it.
Oh
is
it
valid?
Yes,
oh
okay,
great.
We
need
to
figure
out
what
to
do
and
here's
the
next
steps
which,
as
you
can
see,
is
evaluating
the
products
and
we
have
a
process
here
that
goes
through
hey
what
is
involved.
A
How
do
we
rank
things?
How
do
we
track
it,
etc?
Internally,
as
so,
we
track
and
do
some
communications
until
we
fix
and
then
eventually
we
announce
it.
So
that's
where
you
will
see
that
show
up
and
currently
again
the
security
bulletins
here,
we'll
also
announce
it
in
the
security
sig
channel
and
we'll
do
it.
You
know
once
the
release
has
got
it
fixed
into
the
release
notes,
so
this
particular
cve,
let's
see
if
we've
got
the
link
to
the
cde,
it's
on
this
advisory.
A
Yeah,
I
don't
know
that
this
is
there's.
Actually,
I
think,
a
cv
mitra
for
it
as
well
on
this
particular
one,
and
we
announced
it
and
released
it.
I
said
it
was.
We
did
some
investigation,
we
discovered
it
was
actually
vulnerable.
We
were
able
to
replicate
it
and
which
one
we
had
teams
work
through
identifying
and
mitigating
a
fix.
A
I
don't
even
believe
they
mentioned
it
in
here,
but
there
is
a
render
I'll
have
to
find
the
exact
pull
request
that
fixes
it
obviously
there's
a
lot
of
changes
that
go
into
some
of
these
different
releases
and
actually,
I
think,
that's
I'm
not
even
sure,
that's
the
right
tag.
Oh
that's
yeah,
anything
less
than
that
this
particular
one.
It
was,
I
said,
a
yellow
person
on
the.
A
A
A
So
yeah,
that's
one
of
the
things
the
sig
security
does
is
help
coordinate
efforts
on
those
kinds
of
incidents,
investigate
them,
troubleshoot
them
and
assist
with
it
so
yeah
it's
usually.
These
aren't
made
public
until
they
fix
this
out,
at
which
point
we
will
announce.
Hey
here's
where
the
fix
is.
Please
go
update
as
soon
as
humanly
possible.
A
A
A
lot
of
what
we
do
is
more
coordination
of
some
of
the
investigation
and
some
initial
triage,
and
then
we
work
with
some
of
the
various
teams
to
actually
get
the
fixes,
depending
on
what
the
problem
is
and
where
I've
spent
a
fair
bit
of
time
with
the
docs
myself
and
answering
questions
versus
actually
requiring
fixes,
although
occasionally
there
are
some
areas
that
I'll
step
into
more
but
a
lot
of
times,
some
of
the
other
teams
will
end
up
owning
the
fix
versus
the
security,
sig,
actually
fixing
the
problems
so
but
we're
sort
of
the
front
lines
of
hey
yeah.
B
A
That's
cdes
vulnerabilities.
That's
some
of
the
rbac
model.
A
A
A
So,
for
example,
hey
there's
nothing
preventing
somebody
from
deploying
a
manifest
that
contains
a
service
account
as
long
as
spinnaker
has
permissions
to
create
that
service
account.
So
you
do
have
the
potential
where
spinnaker
can
allow
a
user
to
create
a
back
door,
just
a
caution
flag
again
on
hey
when
you
go
and
enable
an
account
in
spinnaker
you're,
creating
a
lot
of
access
to
it
so
be
aware
of
what
you're
granting.
A
Look
at
my
time
here:
we've
got
about
15
minutes,
left
secrets.
Spinnaker
does
not
normally
recommend
doing
secrets
inside
spinnaker.
You
know
generally
that's
better
for
side
cars
or
your
environment
injection
than
it
is
to
actually
use
spinnaker
to
do
it.
We
don't
recommend
it
just
as
a
principle
having
secrets
as
part
of
your
pipelines
or
as
part
of
anything
you
bake.
Don't
do
it.
Please
don't
embed
secrets
in
your
code
and
I
consider
docker
images
to
be
code
from
that
perspective.
A
So
the
short
answer
for
that
one
is
yeah,
don't
use
it
with
that
said,
you
can
use
vinegar
to
deploy
stuff
and
include,
like
hey,
go
load
this
environment
from
a
target
account
instead
of
you
know
trying
to
do
it.
Spinnaker
is
very
intentionally
not
doing
that.
Now
there
are
some
things
that
you
do
want
to
be
aware
of
from
the
secret
perspective.
A
So
hey
when
you
go
for
automated
triggers,
do
be
aware,
for
example,
hey
if
you're
doing
pub,
sub
or
say
web
hook,
you're
going
to
want
to
add
payload
constraints.
So
imagine
I
set
up
a
web
hook
and
I
said:
hey
go.
Allow
bob
to
configure
some
of
these
and
then
allow
a
trigger
webhook
bob
to
fire.
This
pipeline
well
web
hooks
as
a
general
rule.
Don't
have
authentication
they're
open
to
anybody.
Can
you
can
execute
it?
A
So
what
can
you
do?
Well,
from
a
permission,
security
perspective,
each
of
your
triggers
supports
a
slightly
different
functionality
jenkins
because
of
it
being
more
of
a
pull
model.
Well,
you
don't
have
as
much
of
an
issue
because
spinnaker
spinnaker's
talking
to
your
jenkins
and
pulling
data
from
dragons
to
trigger.
A
Web
hooks,
don't
have
the
same
thing,
but
what
you
can
do
with
web
hooks
is,
you
can
add
payload
constraints,
so
you
can
say.
Field
x
in
payload
must
be
some
arbitrary
string.
You
know
put
something
in
here
now:
one
caution:
this
value
is
not
encrypted,
which
means
anybody
who
has
access
to
your
pipeline
can
come.
Read
this
it's
a
constraint,
there's
a
certain
level
of
hey.
A
You
need
to
make
sure
your
app
has
the
right
permissions,
because
anybody
can
come
in
here
and
see
and
modify
this,
but
this
is
a
way
you
can
prevent
web
hooks
from
automatically
firing
unless
the
web
hooks
contain
some
sort
of
secret
identifier.
Each
of
the
different
triggers
supports
a
slightly
different
thing:
hey
you
have
a
docker.
You
can
control,
which
images
you
fire
on
if
you're
using
get.
B
A
A
A
A
All
right,
I
am
rolls
for
authenticating
with
eks
clusters.
Absolutely
when
you
configure
spinnaker
spinnaker
is
going
to
operate
within
the
permissions
of
the
cloud
provider
you're
running
it
in
so,
for
example,
if
you're
deploying
it
to
eks,
hopefully
your
worker
nodes
or
if
you
have
a
newer
one
using
the
oidc
mapping,
stuff
it'll,
actually
map
a
service
account
to
an
im
role.
Spinner
code
will
operate
with
that.
A
I
am
role,
so
that
means
you
can
use
eks
role,
assumption
with
eks
aws
off
config
maps
to
access
remote
clusters,
because
spinnaker
itself,
when
it
talks
to
kubernetes,
is
just
calling
kubectl
commands
under
the
hood.
So
when
you
go
through
and
you
configure
your
kubernetes
manifest
and
you
set
up,
you
know
your
eks
config.
This
contains
a
coupe
config
file.
A
Your
config
file
cloud
driver
will
have
aws
im
authenticator
as
well
as
the
awscli.
I
actually
recommend
the
aws
cli
for
token
acquisition
over
the
aws
im
authenticator.
A
There
are
certain
advantages
to
it,
so
do
recommend
using
that
over
I
am
authenticator,
but
yes,
it
will
actually
use
full
role
assumption
because
literally
it's
just
coupe
ctl
calls
under
the
hood
and
that
supports
all
the
sdks
on
there.
A
A
Okay
base
container
images
for
spinner
alpine
busy
boxer,
updated
cves
are
one
of
those
interesting
challenges
from
those.
Yes,
like
the
base.
Images
is
going
to
have
a
library
that's
out
of
date,
but
that
doesn't
necessarily
mean
spinnaker
itself
is
vulnerable
to
those,
for
example.
I
think
I
scanned
the
other
day
and
I
saw
like
image
magic
or
something
I'm
like
that's
not
even
directly
accessible.
A
This
defines
transitive
library
dependencies,
for
example,
what
version
of
aws
or
bouncy
castle
or
groovy
for
all
the
different
spinnaker
services
to
use.
So
this
is
probably
the
most
common
place
that
gets
a
little
out
of
date
and
does
need
to
be
updating
and
you'll.
Note
here,
like
occasionally,
we've
done
hey,
we
need
a
version
bump,
because
we've
detected
this
cve,
the
docker
images
themselves
are
updated
per
service.
So
if
we
look
at
spinnaker
gate,
for
example,
you
will
have
three
different
docker
files.
We
look
at
the
docker
file.
Slim
it's
on
alpine
311.
A
We
probably
need
to
bump
this.
It
doesn't
happen
as
often
as
we
probably
should.
Unfortunately,
I
would
encourage
pull
requests
and
testing
the
more
we
improve
this,
the
more
contributions
we
get,
the
better
on
that
so
yeah.
Unfortunately,
some
of
these
are
not
updated
as
often
as
it
would
be
ideal.
A
Cds
in
these
images,
though,
are
not
tracked.
Currently,
the
security
sig
has
been
talking
about
security
scanning.
Some
of
these.
It
has
not
been
implemented
any
place
at
this
point.
We're
actually
just
talking
about
using
one
of
the
off-the-shelf,
since
these
are
all
open
source,
we
can
actually
use
github's
native
security
scanning
for
some
of
this
stuff.
A
So,
unfortunately
the
short
answer
is
yeah.
It's
not
actually
being
tracked,
monitored
or
updated
automatically,
because
a
lot
of
times
these
don't
actually
trigger
vulnerabilities
in
spinnaker
themselves,
it's
just
they're
out
of
date,
and
they
need
to
keep
up
to
date
and
they're
using
libraries
that
have
vulnerabilities
in
them.
Potentially
that's
one
of
those
balance.
Acts
between
libraries
with
cds
versus
the
use
of
the
libraries,
so
keeping
up
to
date
on
any
of
that
stuff
is
a
very
challenging
challenging
process.
So
other
questions,
predefined
web
hook,
stages
that
require
base64
encoded
data.
A
And
matthew,
please
let
me
know
if
I
answered
your
question
on
the
cves
and,
I
said:
do
recommend
pull
requests
on
both
of
these
this
one,
the
gotcha
with
updating
some
of
these
libraries
by
the
way,
there's
so
much
interdependencies
on
some
of
these,
particularly
the
spring
in
some
of
the
ok
http
libraries
that
you
have
to
be
really
sensitive
like
I've
tested
a
couple
of
spring
security
changes
that
just
did
not
work
for
a
lot
of
services,
because,
even
though
spring
says
they're
complete
or
compliant,
it's
yeah,
they're,
not
always
compliant
with
each
other,
I.e.
A
I've
seen
oh
yeah,
I
bumped
spring
security
from
5.2.3.5.2.4,
not
that
those
are
real
numbers
and
things
broke,
even
though
it
was
supposed
to
be
a
patch
version
bump.
So
armory
just
have
to
throw
a
little
thing
there.
That's
one
of
the
things
we
struggle
with
on
a
fairly
regular
basis
is
trying
to
manage
some
of
those
versions
and
keep
those
up
to
date
and
yeah
netflix
has
their
own
sort
of
extensions
on
top
of
it
as
well.
A
So
yeah
it's
a
challenge
and
trying
to
get
those
to
compile
and
work
is
an
equally
hard
challenge
back
to
the
other
qa
predefined
web
hook
stages
that
base64
coded
secrets.
A
A
It's
probably
a
topic,
that'd
be
a
good
blog
post
for
the
future,
so
yeah.
I
think
I'll
delay
that
one
for
now,
but
don't
as
much
as
possible
use
secrets
and
instead
use
environment,
injected
or
side
cars
to
reference
secrets
through
a
secret
provider.
So
for
an
example,
you
would
want
to
use
awk
secrets
manager,
vaults,
one
of
the
you
know
various
platform
secret
injection
libraries
to
reference,
a
secret
versus
having
it
as
part
of
your
environment,
very
powerful
tools.
A
A
Yeah,
that's
the
general
rule
is,
if
you
can
have
it
as
a
separate
system
that
pulls
secrets
through
an
environment
and
uses
like
hey
automatic
secret
rotation.
Vault's
got
a
pretty
good
sidecar
implementation
that
I
really
like
and
you
can
use.
I
am
in
kate's
authentication
with
that,
for
example,
and
that
lets
you
dynamically
inject
secrets
versus
embedding
them
into
your
platform.
B
Security,
it's
an
ongoing
thing.
Pay
attention
to
it,
understand,
there's
a
lot.
A
Of
flexibility
in
the
platform
and
anytime,
you
have
that
much
flexibility.
You
can
also
shoot
yourself
in
the
foot
really
easily.
So
you
know,
depending
on
your
environment,
depending
on
your
regulations,
it's
definitely
something
to
pay
a
significant
amount
of
attention
to
and
understand
the
good
and
the
bad.
A
lot
of
options
on
this
always
encourage
enable
it
and
please
come
to
the
seg,
welcome
assistance,
triaging,
pull
requests,
etc.