MAJOR: limit access to k8s secret token

oktalz · dkorunic · oktalz · commit e07e01deba36 · 2025-09-30T11:23:01.000+02:00
Co-authored-by: Dinko Korunic &lt;dkorunic@haproxy.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,4 @@ bin/golangci-lint
 bin/check-commit
 .local/*
 __debug_bin*
+pkg/protection/libblock_secrets.so
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -12,8 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.24-alpine AS builder
+FROM haproxytech/haproxy-alpine:3.2 AS builder-c
+RUN apk add --no-cache build-base gcc musl-dev
+WORKDIR /src
+
+COPY pkg/protection/block_secrets.c .
+RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
 
+FROM golang:1.24-alpine AS builder
 RUN apk --no-cache add git openssh
 
 COPY /go.mod /src/go.mod
@@ -46,7 +52,6 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi-v2 /usr/bin/dataplaneapi-v2 && \
     chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
     chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
-    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64      ;; \
         "linux/amd64")      S6_ARCH=x86_64       ;; \
@@ -69,4 +74,6 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
 
 COPY --from=builder /src/fs/haproxy-ingress-controller .
 
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+
 ENTRYPOINT ["/start.sh"]
diff --git a/build/Dockerfile.dev b/build/Dockerfile.dev
@@ -11,11 +11,14 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+FROM haproxytech/haproxy-alpine:3.2 AS builder-c
+RUN apk add --no-cache build-base gcc musl-dev
+WORKDIR /src
+COPY pkg/protection/block_secrets.c .
+RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
 
 FROM haproxytech/haproxy-alpine:3.2
-
 ARG TARGETPLATFORM
-
 ARG S6_OVERLAY_VERSION=3.1.6.2
 ENV S6_OVERLAY_VERSION=$S6_OVERLAY_VERSION
 ENV S6_READ_ONLY_ROOT=1
@@ -28,7 +31,6 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi /etc/haproxy/dataplaneapi.yml && \
     chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
     chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
-    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64      ;; \
         "linux/amd64")      S6_ARCH=x86_64       ;; \
@@ -51,4 +53,6 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
 
 COPY kubernetes-ingress  ./haproxy-ingress-controller
 
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+
 ENTRYPOINT ["/start.sh"]
diff --git a/build/Dockerfile.pebble b/build/Dockerfile.pebble
@@ -11,6 +11,12 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+FROM haproxytech/haproxy-alpine:3.2 AS builder-c
+RUN apk add --no-cache build-base gcc musl-dev
+WORKDIR /src
+
+COPY pkg/protection/block_secrets.c .
+RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
 
 FROM golang:1.24-alpine AS builder
 
@@ -41,7 +47,6 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi && \
     chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
     chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
-    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
     chown -R haproxy:haproxy /var/lib/pebble/default && \
     chmod ugo+rwx /var/lib/pebble/default/* && \
     rm -rf /etc/services.d/haproxy && \
@@ -52,4 +57,6 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
 COPY --from=builder /go/bin/pebble /usr/local/bin
 COPY --from=builder /src/fs/haproxy-ingress-controller .
 
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+
 ENTRYPOINT ["/start-pebble.sh"]
diff --git a/fs/etc/s6-overlay/s6-rc.d/haproxy/run b/fs/etc/s6-overlay/s6-rc.d/haproxy/run
@@ -22,6 +22,7 @@ if [ -r "${CG_LIMIT_FILE}" ]; then
 fi
 
 echo "Memory limit for HAProxy: ${MEMLIMIT}MiB"
+export LD_PRELOAD=/usr/local/lib/libblock_secrets.so
 
 # if master socket is changed, that needs to be aligned in pkg/haproxy/process/interface.go
 exec /usr/local/sbin/haproxy -W -db -m "${MEMLIMIT}" -S /var/run/haproxy-master.sock,level,admin -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/haproxy-aux.cfg
diff --git a/pkg/protection/block_secrets.c b/pkg/protection/block_secrets.c
@@ -0,0 +1,137 @@
+/* Copyright 2025 HAProxy Technologies LLC                                    */
+/*                                                                            */
+/* Licensed under the Apache License, Version 2.0 (the "License");            */
+/* you may not use this file except in compliance with the License.           */
+/* You may obtain a copy of the License at                                    */
+/*                                                                            */
+/*    http://www.apache.org/licenses/LICENSE-2.0                              */
+/*                                                                            */
+/* Unless required by applicable law or agreed to in writing, software        */
+/* distributed under the License is distributed on an "AS IS" BASIS,          */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
+/* See the License for the specific language governing permissions and        */
+/* limitations under the License.                                             */
+
+#include <dlfcn.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define PATH_MAX 4096
+#define BLOCKED_PATH "/var/run/secrets/kubernetes.io/"
+
+static char canonical_blocked[PATH_MAX] = {0};
+static size_t canonical_blocked_len = 0;
+
+__attribute__((constructor)) static void init_blocked_path() {
+  if (!realpath(BLOCKED_PATH, canonical_blocked)) {
+    strncpy(canonical_blocked, BLOCKED_PATH, PATH_MAX - 1);
+    canonical_blocked[PATH_MAX - 1] = '\0';
+  }
+  canonical_blocked_len = strlen(canonical_blocked);
+}
+
+__attribute__((always_inline)) inline static int
+is_blocked(const char *pathname) {
+  char resolved[PATH_MAX];
+  const char *target = pathname;
+
+  if (realpath(pathname, resolved)) {
+    target = resolved;
+  }
+
+  return strncmp(target, canonical_blocked, canonical_blocked_len) == 0;
+}
+
+static int (*real_open)(const char *, int, ...) = NULL;
+static int (*real_open64)(const char *, int, ...) = NULL;
+static FILE *(*real_fopen)(const char *, const char *) = NULL;
+static FILE *(*real_fopen64)(const char *, const char *) = NULL;
+static FILE *(*real_freopen)(const char *, const char *, FILE *) = NULL;
+static FILE *(*real_freopen64)(const char *, const char *, FILE *) = NULL;
+
+__attribute__((constructor)) static void init_hooks() {
+  real_open = dlsym(RTLD_NEXT, "open");
+  real_open64 = dlsym(RTLD_NEXT, "open64");
+  real_fopen = dlsym(RTLD_NEXT, "fopen");
+  real_fopen64 = dlsym(RTLD_NEXT, "fopen64");
+  real_freopen = dlsym(RTLD_NEXT, "freopen");
+  real_freopen64 = dlsym(RTLD_NEXT, "freopen64");
+}
+
+int open(const char *pathname, int flags, ...) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return -1;
+  }
+
+  va_list args;
+  va_start(args, flags);
+  int fd;
+  if (flags & O_CREAT) {
+    mode_t mode = (mode_t)va_arg(args, int);
+    fd = real_open(pathname, flags, mode);
+  } else {
+    fd = real_open(pathname, flags);
+  }
+  va_end(args);
+  return fd;
+}
+
+int open64(const char *pathname, int flags, ...) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return -1;
+  }
+
+  va_list args;
+  va_start(args, flags);
+  int fd;
+  if (flags & O_CREAT) {
+    mode_t mode = (mode_t)va_arg(args, int);
+    fd = real_open64(pathname, flags, mode);
+  } else {
+    fd = real_open64(pathname, flags);
+  }
+  va_end(args);
+  return fd;
+}
+
+FILE *fopen(const char *pathname, const char *mode) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_fopen(pathname, mode);
+}
+
+FILE *fopen64(const char *pathname, const char *mode) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_fopen64(pathname, mode);
+}
+
+FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_freopen(pathname, mode, stream);
+}
+
+FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_freopen64(pathname, mode, stream);
+}
