Ausnahme gefangen: SSL certificate problem: certificate is not yet valid ๐Ÿ“Œ KafkaUser in another namespace

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š KafkaUser in another namespace


๐Ÿ’ก Newskategorie: Programmierung
๐Ÿ”— Quelle: dev.to

We are integrating fluentbit into Kafka via Kubernetes deployed using strimzi.io and we hit our first issue.

When creating a KafkaUser it will not create the secret needed for tls in our fluent namespace

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: fluent
  namespace: fluent
  labels:
    strimzi.io/cluster: debezium-cluster
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          name: '*'
          patternType: literal
          type: topic
        operation: All
      - resource:
          name: '*'
          patternType: literal
          type: group
        operation: All
      - resource:
          type: cluster
        operation: All

it simply sits there like

kubectl get kafkauser                         
NAME     CLUSTER            AUTHENTICATION   AUTHORIZATION   READY
fluent   debezium-cluster   tls              simple

Reading up it seems that this is a long running issue and although there is a fix for java applications, it would appear you need to deploy something else to mirror the secret generated into the fluent namespace.

In one of the comments it lead us to https://config-syncer.com/docs/v0.14.7/setup/install/ which had a comment about another tool emberstack/kubernetes-reflector.

Installation is pretty straight forward.

helm repo add emberstack https://emberstack.github.io/helm-charts
helm repo update
helm upgrade --install reflector -n emberstack --create-namespace  emberstack/reflector

Then you need to annotate the KafkaUser yaml and apply it

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: fluent
  namespace: kakfa
  labels:
    strimzi.io/cluster: kakfa-cluster
spec:
  authentication:
    type: tls
  template:
    secret:
      metadata:
        annotations:
          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "fluent"
  authorization:
    type: simple
    acls:
      - resource:
          name: '*'
          patternType: literal
          type: topic
        operation: All
      - resource:
          name: '*'
          patternType: literal
          type: group
        operation: All
      - resource:
          type: cluster
        operation: All

and then finally create a empty secret in the fluent namespace and annotate it to mirror the secret created previously.

apiVersion: v1                                                                                  
kind: Secret
metadata:
  name: fluent                                                                             
  namespace: fluent
  annotations:
    reflector.v1.k8s.emberstack.com/reflects: "kafka/fluent"                                                                          
type: Opaque

When completed the secret is mirrored (and maintained)

kubectl get secret fluent -n kafka
NAME     TYPE     DATA   AGE 
fluent   Opaque   5      26m

kubectl get secret fluent -n fluent
NAME     TYPE     DATA   AGE                                                                    
fluent   Opaque   5      19m

You can now reference the secret in your config.

Read how to sync the Kafka Cluster CA certificate into your namespace to enable the sync of the Kafka Cluster CA Certificate.

...



๐Ÿ“Œ KafkaUser in another namespace


๐Ÿ“ˆ 66.93 Punkte

๐Ÿ“Œ Another day, another update, another iPhone lockscreen bypass


๐Ÿ“ˆ 27.13 Punkte

๐Ÿ“Œ Yet another family unnerved by yet another voice coming from a nursery webcam serves as yet another argument against password reuse.


๐Ÿ“ˆ 27.13 Punkte

๐Ÿ“Œ Apache HTTP Server bis 2.4.23 RFC 3875 Namespace Conflict Handler Environment Variable Redirect erweiterte Rechte


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Windows Edge/IE Isolated Private Namespace Insecure DACL Privilege Escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Windows Edge/IE Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ [local] - Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ [local] - Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Apache HTTP Server bis 2.4.23 RFC 3875 Namespace Conflict Handler Environment Variable Redirect erweiterte Rechte


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Windows Edge/IE Isolated Private Namespace Insecure DACL Privilege Escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel bis 4.0.4 fs/namespace.c collect_mounts Denial of Service


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Windows Edge/IE Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ [local] - Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ [local] - Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Apache Struts up to 2.3.34/2.5.16 Namespace Code Execution


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Apache Struts 2 Namespace Redirect OGNL Injection


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel bis 4.0.1 Mount Handler fs/namespace.c erweiterte Rechte


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Nested User Namespace idmap Limit Local Privilege Escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ CVE-2018-11776: Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit module)


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel bis 4.0.1 System Call Handler fs/namespace.c erweiterte Rechte


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel up to 4.8 Mount fs/namespace.c MS_BIND Mount System Calls denial of service


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ What if we moved the entire .com namespace to the HSTS preload like .app or .dev?


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Create Your Own Network Namespace


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Bubblewrap Linux user namespace podcast


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel up to 4.4.220/4.9.220/4.14.177/4.19.118/5.2 Reference Counter fs/namespace.c pivot_root race condition


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Hashicorp Consul Enterprise up to 1.7.8/1.8.4 Namespace denial of service


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ PHP bis 7.0.8 RFC 3875 Namespace Conflict Handler Environment Variable Redirect erweiterte Rechte


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Apache Struts 2 Namespace Redirect OGNL Injection


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ #0daytoday #Apache Struts 2 Namespace Redirect OGNL Injection Exploit [remote #exploits #0day #Exploit]


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ [remote] Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Namespace: Linux-Kernel soll Zeit containerisieren


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel up to 4.0.1 Mount fs/namespace.c privilege escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ nginx RFC 3875 Namespace Conflict Handler Environment Variable Redirect erweiterte Rechte


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel up to 4.0.1 System Call fs/namespace.c privilege escalation


๐Ÿ“ˆ 18.92 Punkte

๐Ÿ“Œ Linux Kernel up to 4.0.4 fs/namespace.c collect_mounts denial of service


๐Ÿ“ˆ 18.92 Punkte











matomo