privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity
Files
inline-ci-64d28591
headlamp-sealed-secrets-plugin/SECURITY.md
T
privilegedescalation-engineer[bot] 67602fb279 chore: replace Dependabot references with Renovate (#55) 
- SECURITY.md: update to mention Renovate instead of Dependabot
- README.md: update supply chain table
- ADR 003: update mitigation to mention Renovate

Closes PRI-389. Parent PRI-387.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-04 21:19:15 +00:00

3.3 KiB
Raw Permalink Blame History

Security Policy

Overview

The Headlamp Sealed Secrets Plugin enables users to create and manage SealedSecret resources within the Headlamp UI. Unlike read-only plugins, this plugin performs write operations against the Kubernetes API, creating and updating SealedSecret custom resources.

Security Model

Write Operations

The plugin creates and updates SealedSecret custom resources in the cluster. All encryption of secret values happens client-side using the node-forge library and the cluster's public sealing certificate. Plaintext secret values are never sent to the Kubernetes API -- only the encrypted SealedSecret manifests are written.

Data Flow

User Browser
    ↓ (user enters secret values)
Plugin Frontend (React + node-forge)
    ↓ (encrypts values client-side using sealing certificate)
Headlamp Pod
    ↓ (in-cluster service account or user token)
Kubernetes API Server
    ↓ (creates/updates SealedSecret CR)
Sealed Secrets Controller
    ↓ (decrypts and creates Secret)

Plaintext secret values exist only in the browser's memory during the encryption step. They are never persisted to disk, localStorage, or transmitted unencrypted.

RBAC Requirements

The plugin requires permissions on SealedSecret custom resources and the ability to fetch the sealing certificate:

Verb API Group Resource Notes
get, list, watch bitnami.com sealedsecrets Read existing SealedSecrets
create, update, patch bitnami.com sealedsecrets Create/update SealedSecrets
get "" (core) services/proxy Fetch sealing certificate from controller

Apply the principle of least privilege: scope permissions to specific namespaces where users should be able to manage SealedSecrets.

Vulnerability Reporting

Supported Versions

Security updates are applied to the latest release only.

Version Supported
latest Yes
< latest No

Reporting a Vulnerability

If you discover a security vulnerability, please report it via:

  1. GitHub Security Advisories: Report a vulnerability

Please do not open public GitHub issues for security vulnerabilities or disclose vulnerabilities publicly before a fix is available.

Response Timeline:

  • Acknowledgment: Within 48 hours
  • Initial Assessment: Within 1 week
  • Fix Timeline: Depends on severity

Dependency Security

Key dependencies with security implications:

  • node-forge: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date.
  • @kinvolk/headlamp-plugin: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation.

The project uses npm audit and Renovate to monitor for known vulnerabilities.

Contact

License

This plugin is provided under the Apache-2.0 License. See LICENSE for details.

Reference in New Issue View Git Blame Copy Permalink