Securing Puppet infrastructure

Certs, the master, and node trust.

Advanced14 min · lesson 12 of 12

Puppet’s trust model runs on TLS certificates: each agent has a cert, the master has a CA, and the agent only accepts a catalog from a master it trusts while the master only compiles for agents whose certs it has signed. This mutual authentication is the security backbone — so certificate handling is the heart of securing Puppet. Autosigning every request is convenient and dangerous; deliberate signing (or policy-based autosign) controls which nodes can ever join.

CERTIFICATE TRUST LIFECYCLE
1CSR
agent generates key + certificate request
2Sign
puppetserver ca sign — deliberate or policy-based
3Mutual TLS
master compiles only for signed certs; agent trusts master
4Revoke
ca revoke for decommissioned/compromised nodes
Deliberate signing controls which nodes ever join; mutual TLS means the master compiles only for signed agents and agents accept only a trusted master.
terminal
# review and sign node certificate requests deliberately
$ puppetserver ca list # pending requests
$ puppetserver ca sign --certname web3.acme.internal
# revoke a decommissioned or compromised node
$ puppetserver ca revoke --certname old-node.acme.internal

The master and the code are privileged

The Puppet master compiles catalogs that run as root on every node and holds the eyaml private key that decrypts all secrets — it is one of the most sensitive hosts you operate, so harden it, restrict access, and keep its code in reviewed version control. Use environments to test changes before they reach production nodes, keep node trust (trusted facts from the cert, not spoofable facts) for security decisions, and never make authorization choices on facts a node can lie about.

manifest
# trust the certname from the cert (unspoofable), NOT a node-supplied fact
if $trusted['certname'] =~ /^prod-/ {
include profile::prod_hardening
}
# $facts can be manipulated by a compromised node; $trusted comes from the signed cert
Never autosign blindly, never trust spoofable facts
Blanket autosigning (autosign = true, or a wildcard) lets any machine that can reach the master get a signed cert and pull catalogs — an easy foothold. Use policy-based autosigning or sign deliberately. And base security decisions on $trusted (from the signed certificate), never on ordinary $facts, which a compromised agent can forge to claim it is a privileged node.