Kubernetes secrets encryption

7/24/2018

I have pods who deployed to Kubernetes cluster (hosted with Google Cloud Kubernetes). Those pods are using some secret, which are plain text files. I added the secret to the yaml file and deployed the deployment. The application is working fine.

Now, let say that someone compromised my code and somehow get access to all my files on the container. In that case, the attacker can find the secrets directory and print all the secrets written there. It's a plain text.

Question:

Why it more secure use kubernetes-secrets instead of just a plain-text?

-- No1Lives4Ever
google-cloud-platform
kubernetes

2 Answers

1/21/2020

In case you can create the secrets using a command instead of having it on the yaml file: example:

kubectl create secret generic cloudsql-user-credentials --from-literal=username=[your user]--from-literal=password=[your pass]

you can also read it as

kubectl get secret  cloudsql-user-credentials -o yaml 

i also use the secret with 2 levels, the one is the kubernetes :

  env:
    - name: SECRETS_USER
      valueFrom:
        secretKeyRef:
          name: cloudsql-user-credentials
          key: username

the SECRETS_USER is a env var, which i use this value on jasypt

spring: datasource: password: ENC(${SECRETS_USER})

on the app start up you use the param : -Djasypt.encryptor.password=encryptKeyCode

/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="encryptKeyCode" password=[pass user] algorithm=PBEWithMD5AndDES
-- Tiago Medici
Source: StackOverflow

7/24/2018

There are different levels of security and as @Vishal Biyani says in the comments, it sounds like you're looking for a level of security you'd get from a project like Sealed Secrets.

As you say, out of the box secrets doesn't give you encryption at the container level. But it does give controls on access through kubectl and the kubernetes APIs. For example, you could use role-based access control so that specific users could see that a secret exists without seeing (through the k8s APIs) what its value is.

-- Ryan Dawson
Source: StackOverflow