privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity
Files
71649454c9ba0b3d2480a07a4b612894d44e21b1
headlamp-sealed-secrets-plugin/SECURITY.md
T
DevContainer User af95c3795c chore: move source to repo root and standardize config 
Phase 1 — Structural overhaul:
- Move all source from headlamp-sealed-secrets/ subdirectory to repo root
- Delete 23 AI-generated docs, 8 pre-built tarballs, release snapshots dir
- Remove all working-directory refs from CI/release workflows
- Update install-plugin.sh and typedoc.json paths

Phase 2 — Config standardization:
- Create .eslintrc.js and .prettierrc.js (standard Headlamp configs)
- Remove inline eslintConfig/prettier from package.json (drop jsx-a11y, prettier extends)
- Rewrite tsconfig.json (package name extend, add compilerOptions.types)
- Create vitest.config.mts and vitest.setup.ts (standard from polaris)
- Replace headlamp-plugin CLI scripts with direct tool invocation
- Rewrite .gitignore with standard baseline

Phase 3 — MCP & Claude settings:
- Create .mcp.json with github/kubernetes/flux/playwright servers
- Create .claude/settings.local.json
- Remove 7 specialized agents, keep 3 meta-orchestration agents

Phase 4 — Documentation:
- Rewrite CLAUDE.md (remove subdirectory refs, standard format)
- Add ArtifactHub badge, Architecture section, standardized install methods to README.md
- Create CONTRIBUTING.md and SECURITY.md
- Fix pre-existing test bugs in validators.test.ts (isValidNamespace returns boolean,
  not ValidationResult; error message string mismatches)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 21:31:12 +00:00

3.3 KiB
Raw Blame History

Security Policy

Overview

The Headlamp Sealed Secrets Plugin enables users to create and manage SealedSecret resources within the Headlamp UI. Unlike read-only plugins, this plugin performs write operations against the Kubernetes API, creating and updating SealedSecret custom resources.

Security Model

Write Operations

The plugin creates and updates SealedSecret custom resources in the cluster. All encryption of secret values happens client-side using the node-forge library and the cluster's public sealing certificate. Plaintext secret values are never sent to the Kubernetes API -- only the encrypted SealedSecret manifests are written.

Data Flow

User Browser
    ↓ (user enters secret values)
Plugin Frontend (React + node-forge)
    ↓ (encrypts values client-side using sealing certificate)
Headlamp Pod
    ↓ (in-cluster service account or user token)
Kubernetes API Server
    ↓ (creates/updates SealedSecret CR)
Sealed Secrets Controller
    ↓ (decrypts and creates Secret)

Plaintext secret values exist only in the browser's memory during the encryption step. They are never persisted to disk, localStorage, or transmitted unencrypted.

RBAC Requirements

The plugin requires permissions on SealedSecret custom resources and the ability to fetch the sealing certificate:

Verb API Group Resource Notes
get, list, watch bitnami.com sealedsecrets Read existing SealedSecrets
create, update, patch bitnami.com sealedsecrets Create/update SealedSecrets
get "" (core) services/proxy Fetch sealing certificate from controller

Apply the principle of least privilege: scope permissions to specific namespaces where users should be able to manage SealedSecrets.

Vulnerability Reporting

Supported Versions

Security updates are applied to the latest release only.

Version Supported
latest Yes
< latest No

Reporting a Vulnerability

If you discover a security vulnerability, please report it via:

  1. GitHub Security Advisories: Report a vulnerability

Please do not open public GitHub issues for security vulnerabilities or disclose vulnerabilities publicly before a fix is available.

Response Timeline:

  • Acknowledgment: Within 48 hours
  • Initial Assessment: Within 1 week
  • Fix Timeline: Depends on severity

Dependency Security

Key dependencies with security implications:

  • node-forge: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date.
  • @kinvolk/headlamp-plugin: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation.

The project uses npm audit and Dependabot to monitor for known vulnerabilities.

Contact

License

This plugin is provided under the Apache-2.0 License. See LICENSE for details.

Reference in New Issue View Git Blame Copy Permalink