Securing the Chef server & clients
Keys, RBAC, and the pull model’s risks.
Chef’s pull model concentrates trust in two places: the Chef server (which holds all cookbooks, data bags, and node definitions) and the client keys (which authenticate nodes and users). Securing Chef means hardening both. On the server, use its RBAC to scope what each user and node can read and change — not everyone should upload cookbooks or read every data bag — and protect it like the critical service it is, since it dictates what runs as root fleet-wide.
# scope access with server RBAC, and rotate client keys periodically$ knife group create cookbook-authors$ knife acl add group cookbook-authors cookbooks web update$ knife client reregister web1 > /tmp/web1.pem # rotate a node’s key
Node-side and secret hygiene
On nodes, chef-client runs as root, so protect its keys and the encrypted-data-bag secret with tight file permissions, mark sensitive resources so secrets stay out of logs, and keep the run interval and error handling sane so a bad converge does not loop destructively. Prefer an external secret manager or Chef Vault over a shared data-bag key, and keep cookbooks in reviewed version control with testing as a gate.
chef_server_url "https://chef.acme.internal/organizations/acme"ssl_verify_mode :verify_peer # never :verify_none in productionfile_cache_path "/var/chef/cache"# protect /etc/chef/client.pem and the data-bag secret with 0600 root-only