Kubernetes kubelet security issue

7/5/2018

We are using EKS that is integrated with Vault using kubernetes as 'auth-backend' for Vault. One of the security flaw we see is that, if someone has access to kubelet certs, they can impersonate kubelet and hence can acquire secret for a service account that a pod has been mapped to (service account which already has Vault creds access as per the Vault Role defined) and authenticate itself with Vault and get the DB credentials from Vault. Is there a way to mitigate this.Basically how can we mitigate the risk of someone impersonating kubelet.

-- Rajarajan Pudupatti Sundari Je
amazon-eks
hashicorp-vault
kubernetes
kubernetes-security

0 Answers