Security Self Assessment: [STRIDE-DOS-1] Misuse of cloud credentials to create unlimited number of cloud resources

[PushkarJ]

User Story

As an operator, I would like to apply soft/hard limits on maximum number of cloud resources so that I don't end up exhausting cloud resources available

As an operator, I would like to apply rate limits on cloud resource creation request, so that I don't end up exhausting cloud resources available in a short period of time

Detailed Description

Snippet from Cluster API security self-assessment: kubernetes/sig-security#40

STRIDE-DOS-1 - Misuse of cloud credentials to create unlimited number of cloud resources
Cloud credentials can be misused by someone who has access to it by accidentally or maliciously creating very large number of cloud resources to exhaust cloud capacity or for financial damage caused due to surprise bills

STRIDE-DOS-1 Recommended Mitigations

• Create safe defaults (soft and hard) for the maximum number of cloud resources that can be created.
• Apply rate limits on how many “create cloud resources” requests can be successfully processed using the same cloud credentials.
• Implement threshold based alerts when a particular soft limit is exceeded

/kind feature
/sig security
/area security

[fabriziopandini]

/milestone v1.2

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen
/triage accepted
/help

Still a valid point to document some generic best practices, but providing specific guidance for each cloud infrastructure should be addressed by cloud providers

I'm not sure that we can/we should apply rate limits on clusterctl and underlying APIs on concurrent and successive requests because technically complex; also it does not prevents to use of credentials in other ways so it doesn't solve the problem
IMO the only real solution to avoid this risk is to rely on infrastructure quota management

[k8s-ci-robot]

@fabriziopandini:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/lifecycle frozen
/triage accepted
/help

Still a valid point to document some generic best practices, but providing specific guidance for each cloud infrastructure should be addressed by cloud providers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[fabriziopandini]

/priority backlog

[fabriziopandini]

I'm collapsing this issue into #6152 to see if we can make some progess
/close

[k8s-ci-robot]

@fabriziopandini: Closing this issue.

In response to this:

I'm collapsing this issue into #6152 to see if we can make some progess
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.