security(agent-rbac): deny mother-agent cross-namespace wallet keystore reads#602
Merged
Conversation
OisinKyne
approved these changes
Jun 5, 2026
added 2 commits
June 5, 2026 20:10
… wallet reads The default (mother) agent's hermes-agent-factory-write ClusterRole granted cluster-wide secrets get/patch, letting it read any namespace's remote-signer wallet keystore. Wallet keys are only ever served via the in-namespace remote-signer REST API (never the k8s secrets API), so restrict secrets get/patch to a resourceNames allow-list (litellm-secrets, x402-buyer-admin, hermes-api-server, hermes-profile-seed, hermes-env, ca-certificates) and keep create open. The mother keeps its admin reads (logs, litellm, master key) and the agent-factory keeps working; only cross-namespace wallet keystore reads are denied. embed_crd_test now asserts this.
…crets allow-list ca-certificates is a ConfigMap (x402 ns), populated by the host CLI, never read by the agent via the k8s secrets API; allow-listing the name was pointless and a latent risk (a future TLS CA *secret* by that name often holds the CA private key). x402-buyer-admin (buyer admin token) is likewise not read by any agent flow. Allow-list is now the minimal set the agent/factory actually touches: litellm-secrets, hermes-api-server, hermes-profile-seed, hermes-env.
OisinKyne
force-pushed
the
chore/agent-sa-wallet-scope
branch
from
125bfab to
ac2cbf7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Scopes the default (mother) agent's
secretsaccess so it can no longer read other namespaces' wallet keystores.The gap
hermes-agent-factory-write(bound to the default agent SA) granted cluster-widesecrets get/patch— so the mother agent could read any namespace'sremote-signer-keystore/-password(every other agent's private key) plus the LiteLLM master key. The mother agent is intended to be privileged (it spawns + monitors child agents — reading their logs / litellm / the master key is by design), but reading arbitrary wallet keystores is not.Fix
Wallet keys are only ever served via the in-namespace remote-signer REST API (port 9000) — never read through the k8s secrets API by any agent flow. So
secrets get/patchis restricted to aresourceNamesallow-list;createstays open (it cannot read or overwrite an existing wallet):litellm-secrets,x402-buyer-admin,hermes-api-server,hermes-profile-seed,hermes-env,ca-certificatesremote-signer-keystore,remote-signer-keystore-password, anything elsePreserved — verified with
kubectl auth can-ion a live clusterlitellm-secrets(master key)hermes-profile-seed(factory idempotent create)pods/log(admin monitoring)secrets create(factory child seeding)remote-signer-keystorein another nssecrets getTest
embed_crd_test.gonow asserts the factorysecrets getisresourceNames-restricted and excludes wallet keystores.go test ./internal/embed/✓ ·go build ./cmd/obol✓.Scope
One template file + one test assertion. Independent of #600; applies cleanly on main.