docs/aws : incite to delete the config after 1st boot #576
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…boot The configuraton may contains sensitive data. As any subsequent container may be able to access the s3 bucket it is advised to clear it. See #306 Also remove one level in the s3 config title so it appear in the TOC
jbtrystram
force-pushed
the
feat/aws-remote-s3-config-cleanup
branch
from
9610e1d
to
252128a
Compare
travier
reviewed
Aug 22, 2023
travier
reviewed
Aug 23, 2023
Comment on lines
110
to
111
| Any container running on the instance could be able to read the config, raising security concerns. |
There was a problem hiding this comment.
Suggested change
| Once the instance have completed the first boot, we recommend cleaning up the configuration files. | |
| Any container running on the instance could be able to read the config, raising security concerns. | |
| Once the instance has completed the first boot,we recommend removing the Ignition config from the S3 bucket as any process or container running on the instance could access it. |
Comment on lines
128
to
132
| If you need to have secrets in your ignition configuration you should store it into a s3 bucket and have a minimal configuration in user-data. | ||
| Make sure to clear the s3 bucket when the first boot is completed. | ||
|
|
||
| See the https://coreos.github.io/ignition/operator-notes/#secrets[ignition documentation] for more advice on secret management. |
There was a problem hiding this comment.
Let's move that into a single paragraph with the rest at the top of this section.
|
Sorry for the partial review. I'm trying to figure out how we could best convey the risks while making the good option the default. Maybe we need to re-organize the entire page to start with the not on secrets in Ignition. |
|
I updated the PR with some of your ideas. If you think that's still not clear I'll try a complete rework of the page as you suggested |
travier
reviewed
Aug 30, 2023
Co-authored-by: Timothée Ravier <tim@siosm.fr>
travier
approved these changes
Aug 30, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The configuraton may contains sensitive data. As any subsequent container may be able to access the s3 bucket it is advised to clear it. See #306