privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity
Files
af95c3795cc2cfcbe2f2750b152a84278a0ef12b
headlamp-sealed-secrets-plugin/SECURITY.md
T
DevContainer User af95c3795c chore: move source to repo root and standardize config 
Phase 1 — Structural overhaul:
- Move all source from headlamp-sealed-secrets/ subdirectory to repo root
- Delete 23 AI-generated docs, 8 pre-built tarballs, release snapshots dir
- Remove all working-directory refs from CI/release workflows
- Update install-plugin.sh and typedoc.json paths

Phase 2 — Config standardization:
- Create .eslintrc.js and .prettierrc.js (standard Headlamp configs)
- Remove inline eslintConfig/prettier from package.json (drop jsx-a11y, prettier extends)
- Rewrite tsconfig.json (package name extend, add compilerOptions.types)
- Create vitest.config.mts and vitest.setup.ts (standard from polaris)
- Replace headlamp-plugin CLI scripts with direct tool invocation
- Rewrite .gitignore with standard baseline

Phase 3 — MCP & Claude settings:
- Create .mcp.json with github/kubernetes/flux/playwright servers
- Create .claude/settings.local.json
- Remove 7 specialized agents, keep 3 meta-orchestration agents

Phase 4 — Documentation:
- Rewrite CLAUDE.md (remove subdirectory refs, standard format)
- Add ArtifactHub badge, Architecture section, standardized install methods to README.md
- Create CONTRIBUTING.md and SECURITY.md
- Fix pre-existing test bugs in validators.test.ts (isValidNamespace returns boolean,
  not ValidationResult; error message string mismatches)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 21:31:12 +00:00

83 lines
3.3 KiB
Markdown
Raw Blame History

# Security Policy
## Overview
The Headlamp Sealed Secrets Plugin enables users to create and manage SealedSecret resources within the Headlamp UI. Unlike read-only plugins, this plugin performs **write operations** against the Kubernetes API, creating and updating SealedSecret custom resources.
## Security Model
### Write Operations
The plugin creates and updates `SealedSecret` custom resources in the cluster. All encryption of secret values happens **client-side** using the `node-forge` library and the cluster's public sealing certificate. Plaintext secret values are never sent to the Kubernetes API -- only the encrypted SealedSecret manifests are written.
### Data Flow
```
User Browser
↓ (user enters secret values)
Plugin Frontend (React + node-forge)
↓ (encrypts values client-side using sealing certificate)
Headlamp Pod
↓ (in-cluster service account or user token)
Kubernetes API Server
↓ (creates/updates SealedSecret CR)
Sealed Secrets Controller
↓ (decrypts and creates Secret)
```
Plaintext secret values exist only in the browser's memory during the encryption step. They are never persisted to disk, localStorage, or transmitted unencrypted.
### RBAC Requirements
The plugin requires permissions on SealedSecret custom resources and the ability to fetch the sealing certificate:
| Verb | API Group | Resource | Notes |
|------|-----------|----------|-------|
| `get`, `list`, `watch` | `bitnami.com` | `sealedsecrets` | Read existing SealedSecrets |
| `create`, `update`, `patch` | `bitnami.com` | `sealedsecrets` | Create/update SealedSecrets |
| `get` | `""` (core) | `services/proxy` | Fetch sealing certificate from controller |
Apply the principle of least privilege: scope permissions to specific namespaces where users should be able to manage SealedSecrets.
## Vulnerability Reporting
### Supported Versions
Security updates are applied to the latest release only.
| Version | Supported |
| ------- | --------- |
| latest | Yes |
| < latest| No |
### Reporting a Vulnerability
If you discover a security vulnerability, please report it via:
1. **GitHub Security Advisories**: [Report a vulnerability](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/security/advisories/new)
**Please do not** open public GitHub issues for security vulnerabilities or disclose vulnerabilities publicly before a fix is available.
**Response Timeline:**
- **Acknowledgment**: Within 48 hours
- **Initial Assessment**: Within 1 week
- **Fix Timeline**: Depends on severity
## Dependency Security
Key dependencies with security implications:
- **node-forge**: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date.
- **@kinvolk/headlamp-plugin**: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation.
The project uses `npm audit` and Dependabot to monitor for known vulnerabilities.
## Contact
- **Security Issues**: [GitHub Security Advisories](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/security/advisories)
- **Bug Reports**: [GitHub Issues](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/issues)
## License
This plugin is provided under the Apache-2.0 License. See [LICENSE](LICENSE) for details.
Reference in New Issue View Git Blame Copy Permalink