Reputation: 2949
Is it possible to prevent k8s secret of being empty (zero bytes)?
Is it possible to configure k8s in a way that empty secrets are not possible?
I had a problem in a service that somewhat the secret got overwritten with an empty one (zero bytes) and thereby my service malfunctioned. I see no advantage of having an secret empty at any time and would like to prevent empty secrets all together.
Thans for your help!
Upvotes: 0
Views: 953
Answers (1)
Reputation: 33203
While it's not a simple answer to implement, as best I can tell what you are looking for is an Admission Controller, with a very popular one being OPA Gatekeeper
The theory is that kubernetes, as a platform, does not understand your business requirement to keep mistakes from overwriting Secrets. But OPA as a policy rules engine allows you to specify those things without requiring the upstream kubernetes to adopt those policies for everyone
An alternative is to turn on audit logging and track down the responsible party for re-education
A further alternative is to correctly scope RBAC Roles to actually deny writes to Secrets except for those credentials that are known to be trusted
Upvotes: 1
Related Questions
- Why cannot K8s pod read stored secret?
- not load secret in k8s
- How to create a secret in the k8s cluster from a pod's container?
- How to mark secret as optional in kubernetes?
- Is it possible to create a string array secret in k8s?
- Mounting a k8s secret using kustomize
- k8s management/handling of secrets inside container
- Create K8s Secret with Pre-Install hook
- Unable to create a Secret Using kubectl
- Byte array as kubernetes secret?