vcluster is leaking guest cluster service account tokens into the host cluster pod annotations #3574
Description
What happened?
I'm observing that the pods in the host cluster are leaking the service account token from the guest pod as an annotation such as
vcluster.loft.sh/token-ekuahkri: eyJhbGciOiJSUz...
Decoding the annotation value in https://www.jwt.io/ shows that it is a valid JWT token can be be used to act on behalf the guest pod against the guest api server.
This seems dangerous since annotations easily be disclosed when listing host/physical pods, and possibly sharing them with untrusted sources.
Kubernetes recommends to rather store sensitive data in a secret object, see https://kubernetes.io/docs/concepts/configuration/secret/
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.
Because Secrets can be created independently of the Pods that use them, there is less risk of the Secret (and its data) being exposed during the workflow of creating, viewing, and editing Pods.
I could not spot the related doc and PR to get full background and rationale for this annotation. Here are related code fragments
vcluster/pkg/controllers/resources/pods/translate/translator.go
Lines 613 to 616 in 921f9fc
What did you expect to happen?
Replace the vcluster.loft.sh/token annotation value with a reference to a secret
How can we reproduce it (as minimally and precisely as possible)?
inspect host pod annotation
Anything else we need to know?
No response
Host cluster Kubernetes version
Details
$ kubectl version
# paste output herevcluster version
Details
image: ghcr.io/loft-sh/vcluster-oss:0.30.4
VCluster Config
Details
# My vcluster.yaml / values.yaml here