Skip to content

Threat Model

Scope

This document analyzes the security boundaries, assets, and potential threats to the OpenBao Operator using the STRIDE framework.

1. Trust Boundaries

The system is divided into three major trust zones.

graph TD
    subgraph Operator_Zone [Trust Zone: Operator]
        Op[Operator Controller]
        OpSA[ServiceAccount: Operator]
    end

    subgraph Tenant_Zone [Trust Zone: Tenant Namespace]
        Bao[OpenBao Cluster]
        Secret[Root Token / Unseal Key]
        PVC[Raft Storage PVC]
    end

    subgraph Cloud_Zone [Trust Zone: External]
        S3[Object Storage]
        K8sAPI[Kubernetes API]
    end

    Op -- Reconciles --> Bao
    Op -- Minimal Access --> K8sAPI
    Op -.->|Blind Write| Secret
    Bao -- Streams Snapshots --> S3

    linkStyle 0 stroke:#22c55e,stroke-width:2px;
    linkStyle 2 stroke:#ef4444,stroke-width:2px;

2. Asset Identification

Asset Risk Level Location Description
Root Token Critical Secret Grants full administrative access to OpenBao.
Unseal Keys High Secret Static keys used to decrypt the vault master key.
Raft Data High PVC Encrypted persistent storage containing all vault data.
Snapshots High S3/GCS Encrypted backups of the Raft data.
CA Key High Secret Private key for the Cluster Root CA.
Configuration Medium ConfigMap HCL configuration files.

3. STRIDE Analysis

Spoofing (Identity)

Threat: A rogue pod attempts to join the Raft cluster.

Mitigation: mTLS

Only pods with a valid certificate signed by the Operator CA (mounted via Secret) can join the mesh.

Threat: An attacker spoofs external endpoints.

Mitigation: Network Policy

Default-deny ingress policies enforce cluster isolation. TLS required for all external traffic.

Tampering (Data Integrity)

Threat: User manually edits the StatefulSet (e.g., changes image).

Mitigation: Reconciliation

The Operator watches for changes and immediately reverts drift to the desired state defined in the CRD.

Threat: Malicious tenant points backups to unauthorized storage.

Mitigation: Policy

Use Admission Policies (ValidatingAdmissionPolicy) to restrict allowed backup targets.

Repudiation (Audit Logs)

Threat: Lack of audit trail for critical actions (step-down, backup).

Mitigation: Structured Auditing

The Operator emits structured JSON logs with audit=true for all control plane actions.

Information Disclosure (Privacy)

Threat: TLS keys or tokens exposed in logs.

Mitigation: Redaction

Strict policy against logging secrets. Use crypto/rand for generation. OpenBao telemetry is used instead of debug logs.

Denial of Service (Availability)

Threat: Misconfigured CR causing hot reconcile loops.

Mitigation: Rate Limiting

The controller utilizes MaxConcurrentReconciles and exponential backoff to preventing API saturation.

Elevation of Privilege (Authorization)

Threat: Attacker compromises the Operator Pod.

Mitigation: Least Privilege

  • Non-Root: Operator runs as non-root.
  • Blind Writes: Operator can create Secrets but cannot list/read them back.
  • Split RBAC: Separated ServiceAccounts for Provisioning vs. Management.

4. Secrets Management

Critical Requirements

  1. Never Log Secrets: Root tokens, unseal keys, and CA keys must NEVER appear in stdout/stderr.
  2. Unique Names: Secrets must include the cluster name to prevent collisions.
  3. Strict RBAC: Only Cluster Admins should have access to the Root Token Secret.