Skip to content

Agent: Report Kubernetes Secret immutable attribute to DisCo #735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
FelixPhipps merged 4 commits into from
Oct 20, 2025
Merged

Agent: Report Kubernetes Secret immutable attribute to DisCo #735

FelixPhipps merged 4 commits into from
Oct 20, 2025

Conversation

@FelixPhipps
Copy link
Contributor

@FelixPhipps FelixPhipps commented Oct 20, 2025
edited by atlassian bot
Loading

Closes VC-46158

@davidnoyes
Copy link

davidnoyes commented Oct 20, 2025

What manual validation has been performed to check that this solves the issue for the DisCo team?

@FelixPhipps
Copy link
Contributor Author

FelixPhipps commented Oct 20, 2025
edited
Loading

Manual testing steps

  1. Build the agent binary:
    go build -o _bin/ark ./cmd/ark

  2. Create an immutable Secret Save as secret.yaml:

  kind: Secret
  metadata:
    name: tls-client-auth-only-rsa
    namespace: cyberark
  immutable: true
  type: kubernetes.io/tls
  data:
    tls.crt: dGVzdA==
    tls.key: dGVzdA==

  1. Apply:
    kubectl apply -f secret.yaml

  2. Prepare agent config including secrets gatherer Save as agent_config.yaml:

cluster_description: "manual test of immutable secret"
period: "12h0m0s"
data-gatherers:
  - kind: k8s-dynamic
    name: ark/secrets
    config:
      resource-type:
        version: v1
        resource: secrets
      field-selectors:
        - type!=kubernetes.io/dockercfg
        - type!=kubernetes.io/dockerconfigjson
        - type!=bootstrap.kubernetes.io/token
        - type!=helm.sh/release.v1
  1. Run agent one-shot:
  --logging-format=json \
  --log-level=6 \
  --one-shot \
  --output-path out.txt \
  --agent-config-file agent_config.yaml
  1. Verify immutable field is present in output out.txt:
image

mladen-rusev-cyberark
mladen-rusev-cyberark approved these changes Oct 20, 2025
View reviewed changes
Copy link
Collaborator

@mladen-rusev-cyberark mladen-rusev-cyberark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested manually via the testing steps with the 3 states of immutable (true, false, missing). Output is as expected.

@FelixPhipps FelixPhipps merged commit ff3d50e into master Oct 20, 2025
3 checks passed
@inteon inteon deleted the secret-immutable-VC-46158 branch December 11, 2025 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mladen-rusev-cyberark mladen-rusev-cyberark mladen-rusev-cyberark approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@FelixPhipps @davidnoyes @mladen-rusev-cyberark