K
Q

How do I prevent access to a mounted secret file?

4/30/2019

I have a spring boot app which loads a yaml file at startup containing an encryption key that it needs to decrypt properties it receives from spring config.

Said yaml file is mounted as a k8s secret file at etc/config/springconfig.yaml

If my springboot is running I can still sh and view the yaml file with "docker exec -it 123456 sh" How can I prevent anyone from being able to view the encryption key?

-- user6388032
docker
kubernetes
spring-boot

Similar Questions

permission error: service account don't have access to cloud-ml platform
Restrict user to access only one service in a namespace
How to structure/group Kubernetes Deployments?
How to communicate between services in Kubernetes in a secure way
What should be the memory usage alert criteria for Cockroachdb running in Kubernetes?
How to use variables in Istio VirtualService?
Can't connect to the ETCD of Kubernetes

5 Answers

4/30/2019

A possibility is to use sysdig falco (https://sysdig.com/opensource/falco/). This tool will look at pod event, and can take action when a shell is started in your container. Typical action would be to immediately kill the container, so reading secret cannot occurs. And kubernetes will restart the container to avoid service interruption.

Note that you must forbids access to the node itself to avoid docker daemon access.

-- Alexandre Cartapanis
Source: StackOverflow
4/30/2019

In general, the problem is even worse than just simple access to Docker daemon. Even if you prohibit SSH to worker nodes and no one can use Docker daemon directly - there is still possibility to read secret.

If anyone in namespace has access to create pods (which means ability to create deployments/statefulsets/daemonsets/jobs/cronjobs and so on) - it can easily create pod and mount secret inside it and simply read it. Even if someone have only ability to patch pods/deployments and so on - he potentially can read all secrets in namespace. There is no way how you can escape that.

For me that's the biggest security flaw in Kubernetes. And that's why you must very carefully give access to create and patch pods/deployments and so on. Always limit access to namespace, always exclude secrets from RBAC rules and always try to avoid giving pod creation capability.

-- Vasily Angapov
Source: StackOverflow
4/30/2019
  1. You can delete that file, once your process fully gets started. Given your app doesnt need to read from that again.

OR,

  1. You can set those properties via --env-file, and your app should read from environment then. But, still if you have possibility of someone logging-in to that container, he can read environment variables too.

OR,

  1. Set those properties into JVM rather than system environment, by using -D. Spring can read properties from JVM environment too.
-- Gorav Singal
Source: StackOverflow
4/30/2019

You can try mounting the secret as an environment variable. Once your application grabs the secret on startup, the application can then unset that variable rendering the secret inaccessible thereon.

Hope this helps!

-- Frank Yucheng Gu
Source: StackOverflow
4/30/2019

You need to restrict access to the Docker daemon. If you are running a Kubernetes cluster the access to the nodes where one could execute docker exec ... should be heavily restricted.

-- Lukas Eichler
Source: StackOverflow