Home > General > Limitations with Kubernetes Secrets

Limitations with Kubernetes Secrets


I’ve been working in Kubernetes space for quite some time now and ‘ve been coding in Go and directly contributing to this project in opensource world. Well coming to the subject of this blog, I would like to touch base here on a loosely designed object i.e. “secret store” in kubernetes. This topic has been a center of discussion in various forums, ‘am just trying to re-echo their voice in this blog.

Right now Kubernetes stores it’s secrets in etcd under /registry/secrets location. All the secrets are just base64 encoded and stored in etcd. This is what is the primary risk that security guys like me have been barking about. Now is there a way to get out of this issue? Yes but with a possible enhancement i.e. to externalize the secret store from Kubernetes system to something like HashiCorp’s HashiVault or Barbican coupled with Hardware Security Module (HSM).

Following are few risks adapting secret store mechanism in K8s:

  1. API server secret data is stored as plaintext (base64 encoded only) in etcd
  2. Secrets are shared if multiple replicas of etcd are run
  3. root on any node can read any secret from the api server
  4. User creating a pod that uses secret can also see the value of that secret
  5. No secret store access control at Kubernetes cluster level
  6. Key max length of 253 chars, Secret value <= 1MB. It is possible to accidentally push the Secrets definition to version control

Here is the change that ‘am looking for…It can be Barbican or HashiVault…

Barbican_k8s.png

 

Currently there is no plug-in to K8S that can help externalize the secret store to Hashi Vault or Barbican. I developed one for both HashiVault and Barbican, I will upload the github link soon for it.

Advertisements
Categories: General
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: