K
Q

How can I minimize administrator access to secrets in kubernetes?

4/11/2018

AFAIK administrators can use exec to execute commands in a container running in kubernetes. This means that they can see all the secrets correct?

Now if the secret is used to connect to something externally, which that administrator does not have access to, how can I avoid that the adminstrator gets access to that external system?

Do I need to use something like Hashicorps Vault?

-- kohlerm
kubernetes

Similar Questions

Why docker download the same image again while I using Kubernetes
Deploying new version of my images without downtime when deploying wordpress application using kubernetes
Unable to initiate Kubernetes Federation in Google Cloud Platform
How should I set up FQDN identity for kubernetes pods in local cluster?

1 Answer

4/11/2018

Do I need to use something like Hashicorps Vault?

Generally, yes: you need an external encrypted source in order to separate secret management (readable by admins with the right RBAC) and secrets.

For instance, something like hashicorp/vault-plugin-auth-kubernetes can help and allows for Kubernetes Service Accounts to authenticate with Vault.

-- VonC
Source: StackOverflow