Skip to main content

Security Practices

Use these practices when code touches keys, certificates, external input, filesystem state, or privileged controller behavior.

OpenBao Operator handles sensitive material and security-relevant control paths. The safest implementation choice is usually the simplest one: least-privilege permissions, standard cryptographic primitives, no shell escapes from controllers, and explicit care around secrets in memory and logs.

Decision matrix

Secure coding defaults

Secure coding defaults.
AreaExpected defaultAvoid
Filesystem permissionsUse the narrowest permissions possible, especially 0600 for keys and secrets.World-writable or broadly readable secret material.
RandomnessUse crypto/rand for security-sensitive values.math/rand for tokens, passwords, keys, or nonces.
Controller execution modelUse Go libraries and Kubernetes clients directly.Shelling out to kubectl, helm, bao, vault, or similar binaries from controllers.
Input validationValidate paths, ranges, and other CR-driven input before use.Passing raw user input into filesystem or runtime-sensitive operations.
Secret handlingDo not log secret contents and minimize their lifetime in memory.Debug output that prints token, key, or secret payload fields.

Minimal secure examples

// private key file permissions
if err := os.WriteFile(keyPath, keyData, 0o600); err != nil {
    return err
}

// cryptographically secure randomness
token := make([]byte, 32)
if _, err := rand.Read(token); err != nil {
    return err
}
Controllers must not shell out

Shelling out introduces injection risk, hidden runtime dependencies, and slower, harder-to-test control paths. Use Kubernetes clients and internal helpers instead.

Input and secret handling

  • Clean and validate filesystem paths before use.
  • Enforce numeric and enum bounds from CR input explicitly.
  • Never log secret payloads, even in debug-only paths.
  • Zero sensitive byte slices after use when the code keeps them in memory for any meaningful period.

Related secure-contributor guides

Supply chain securityOpen the artifact-trust controls when the change moves from secure coding into build, provenance, or release security.Dependency license policyUse the dependency policy when the security question is whether a new dependency is even shippable.Security docsReturn to the operator-facing security section when you need the runtime trust model rather than contributor implementation rules.
Next release documentation

You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work