K
Q

Secret storage in JupyterHub or Helm? (Running on kubernetes on AWS EKS)

3/7/2019

I have JupyterHub running on a kubernetes cluster in AWS EKS (managed kubernetes on AWS).

I need to know if there is any way for me to store or configure a sensitive secret that can be accessed during a notebook server instance startup, but only by the server processes. It should never be accessible by any normal users or malicious users.

Specifically, I have a custom "postStart" step, configured in my helm chart:

proxy:
  # ...

auth
  # ...

singleuser:
  image:
    # ...
  lifecycleHooks:
    postStart:
      exec:
        command: ["/bin/sh", "-c", "custom-program -password abcdefg12345"] # <-- THIS.

How can I safely store my password, e.g. abcdefg12345 above, so that it can never be accessible to any users of the JupyterHub cluster? (Except admins)

Would it be safe in the helm chart config file? Where does helm store the postStart lifecycleHook command?

-- James Wierzba
amazon-web-services
jupyter-notebook
kubernetes
kubernetes-helm

Similar Questions

Retrieve Kubernetes Secrets mounted as volumes
K8S baremetal nginx-ingress-controller
kubeadm with load balancer public endpoint
Gitlab runner installed on Kubernetes is not showing up in Gitlab UI when trying to set up runner

1 Answer

3/9/2019

Kubernetes has the concept of Secrets and allows to configure role-based access control (RBAC) for these. For the Pod running your server you need to create a ServiceAccount.

-- webwurst
Source: StackOverflow