Kibana app security

[in-1911]

Description

When the user enables the deployment of Kibana app on Code Engine, several security issues should be addressed:

• Restrictions on private endpoint - see Kibana app in DA should have private endpoint. #333, if the endpoint is not limited to specific source IPs (e.g. a VPC), it does not offer much protection, as any other IBM Cloud account with a VPC can connect to it
• Kibana credentials for Elastic instance - ideally a different service credentials should be used, not the super admin. Probably a dedicated set of credentials should be set up, so that it can be rotated or disabled if necessary without affecting other credentials. It's not clear what Elastic permissions are required for Kibana, we may need some sort of option to reduce the permissions - e.g. so that access from Kibana is read-only.
• UI authentication in Kibana app. It seems that the user is supposed to authenticate with Elastic credentials to Kibana, but it's not clear if that can be restricted to only specific Elastic roles. Ideally, a separate authentication mechanism may need to be implemented (e.g. AppID), but that may not be supported in Kibana app image.

New or affected modules

---

By submitting this issue, you agree to follow our Code of Conduct

[Ak-sky]

@in-1911,

1st point is addressed in this PR.
2nd point, users list passed in the users variable like below, this can be used to login to Kibana dashboard.

[
  {
    "name": "es_reader",
    "password": "readpassword123",
    "type": "database"
  }
]

3rd point, for now the authentication is based on username/password, for other authentication types, SSO can be used with SAML, which I believe has to be set up separately.

cc: @ocofaigh @vburckhardt

[in-1911]

• Private endpoint: the fix: updated Kibana app endpoint to private #346 enables private endpoint, but is there a way to actually limit network access? Can a CBR be applied to a Code Engine project? Or some other way to restrict the origin of the connection?
• User credentials for Kibana - I was referring to the Elastic credentials used to set up the Kibana instance and its access to Elastic. The users input can configure multiple user accounts, but I believe the Kibana deployment uses super-admin for the initial setup - that's what I am concerned with. I think the credentials passed to Kibana image should be one of the lesser accounts specified in users input.

[Ak-sky]

Hi @in-1911, sorry for the delay in addressing this issue.

I have raised the PR covering the above security issues-

• Setting up built-in kibana_system user password specifically for the Code Engine Kibana application to connect to Elasticsearch instance with reduced permissions.
• Creates a new user for the Kibana application with database role.
• This is done by a bash script as currently there is no support in IBM TF provider (request raised) to setup password for kibana_system. This script performs basically two main operations -
  • Sets password for the built-in kibana_system user.
  • Creates a new user account for end user to log into Kibana dashboard.
• Set CBR rule for the Kibana dashboard using cbr_code_engine_kibana_rules variable.

Other aspect which I realised with respect to CBR rule is to have one more CBR rule for Code Engine Kibana App to Elasticsearch but unfortunately for this Code Engine as serviceRef in CBR zone is not supported for any of the ICD services if the target is ICD, I have created the Aha request for the same.