In the diagram on the kubernetes-vault repo, you can see that the init container takes the wrapped secret_id and the unwraps and redeems the secret_id for a token via Vault. Why doesn't the kubernetes-vault controller do this unwrapping and redemption itself and simply transmit the token to the init container?
https://github.com/Boostport/kubernetes-vault/raw/master/flow-diagram.png
Note: The kubernetes-vault project is an open-source project maintained by my company.
The reason the init container unwraps the secret is 2 fold:
Only the init container and the pod it is in is able to see the final secret. That means that the kubernetes-vault controller does not know what the token is and is not able to use it for malicious purposes if compromised.
If a someone intercepts the wrapped token and unwraps it, the init container would not be able to unwrap the token and this is a good signal that cluster has been compromised. If the unwrapped token is sent to the init container, it can be intercepted and it would not be possible to alert on this.
