Reputation: 407
How to secure kubernetes secrets?
I am trying to avoid kubernetes secrets view-able by any user. I tried sealed secrets, but that is just hiding secrets to be stored in version control. As soon as I apply that secret, I can see the secret using the below command.
kubectl get secret mysecret -o yaml
This above command is still showing base64 encoded form of secret.
How do I avoid someone seeing the secret ( even in base64 format) with the above simple command.
Upvotes: 2
Views: 1952
Answers (4)
Reputation: 16628
There is a VMware Secrets Manager for Cloud-Native Apps, a secure secret management store. It provides a minimal and intuitive API, ensuring practical security without compromising user experience.
https://github.com/vmware-tanzu/secrets-manager
Official documentation: https://vsecm.com/
Upvotes: 0
Reputation: 21
There is no way to accomplish this with Kubernetes internal tools. You will always have to rely on a third-party tool.
Hashicorps Vault is one very often used solution, which is very powerful and supports some very nice features, like Dynamic Secrets or Envelope Encryption. But it can also get very complex in terms of configuration. So you need to decide for yourself what kind of solution you need.
I would recommend you using Sealed-Secrets. It encrypts your secrets and you can push the encrypted secrets safely in your repository. It has not such a big feature list, but it does exactly what you described.
Upvotes: 2
Reputation: 816
You can use Hashicrop Vault or kubernetes-external-secrets (https://github.com/godaddy/kubernetes-external-secrets).
Or if you just want to restrict only, then you should create a read-only user and restrict the access for the secret for the read-only user using role & role binding.
Then if anyone tries to describe secret then it will throw access denied error.
Sample code:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-secrets
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test-secrets
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: test-secrets
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: demo
The above role has no access to secrets. Hence the demo user gets access denied.
Upvotes: 4
Reputation: 3380
You can Inject Hashicrop Vault secrets into Kubernetes pods via Init containers and keep them up to date with a sidecar container.
More details here https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
Upvotes: 0
Related Questions
- Kubernetes about secrets and how to consume them in pods
- Referencing secrets in Kubernetes
- Attaching secret to running pod
- k8s management/handling of secrets inside container
- management of kubernetes secrets
- How to secure kubectl access?
- how could `secret` protect sensitive information in Kubernetes
- Kubernetes using secrets in pod
- How can I minimize administrator access to secrets in kubernetes?
- Kubernetes multiple secrets