This message was deleted Platform Engineering #general

Join Slack

This message was deleted.

# general

Slackbot

07/20/2023, 11:27 AM

This message was deleted.

Alan Longuet

07/20/2023, 11:40 AM

We've been experimenting with runtime secret injections where you put a secret management tool key in place of the value of your secrets and they are fetched right before your service starts, there's multiple solutions for that : https://github.com/busser/murmur https://banzaicloud.com/blog/inject-secrets-into-pods-vault-revisited/

Alan Longuet

07/20/2023, 11:41 AM

That does the job well, but you have a bigger dependency on your secret management tool that way

Grégory Vander Schueren

07/20/2023, 12:30 PM

What scenario are you trying to protect against? I believe it starts by properly configuring your k8s RBAC with least privilege to make sure that Kube secrets can only be read by those who actually need to read them

Grégory Vander Schueren

07/20/2023, 12:32 PM

If secrets are in the env of your process, they can anyways be read by someone that has kubectl exec access to the pod, or node access

Andrew Kirkpatrick

07/20/2023, 12:37 PM

They're only base64-encoded if you're using the

Secret

Resource, but if you're injecting/pulling secrets directly into your application Pods then you're subject to the risks others have mentioned (access to

env

variables, or the ephemeral filesystem if written there)

Andrew Kirkpatrick

07/20/2023, 12:40 PM

Another option is to have the applications themselves pull the secrets (https://github.com/hashicorp/vault-client-go) and have their access to the secret store granted via identity management (something like EKS IRSA)

3 Views

Open in Slack

Previous Next