K
Q

how to secure the plain credentials used in k8s pull secrets

9/30/2019

We are seeing the plain credentials as part of k8s pull secrets file. Is there any way to safely secure them so that admin/user who have full rights cannot misuse them?

Pull-Secret Example:

.dockercfg: 
   {"dockercentral.test.com:5050":
      {"username": "test.it.com",
       "password":"dwew32",
       "email":"mark.test@yahoo.com",
       "auth":"br23231fsdfdfsdfs3211"
      }
   }

Above is the Pull-secrets file, where we see the user name and password values as plain text. Please help on safely securing them in k8s!

-- Manigandan Thanigai Arasu
authentication
credentials
encoding
kubernetes
kubernetes-secrets

Similar Questions

Kubernetes PV refuses to bind after delete/re-create
Permission denied pulling image from Red Hat Registry
How to Pass Authorization Bearer Token in Websocket API
How to make same change across yaml file of all the deployments present in a namespace
changing memory allocation of a kubernetes worker node
How do I pass the name of a kubernetes deployment/replica set to the container?

2 Answers

10/1/2019

You can follow this guide from kubernetes documentation to create secret of docker-registry type to authenticate with a container registry.

Example of docker-registry secret:

apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
namespace: awesomeapps
data:
.dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjson

As You can see this kind of secret doesn't have plain text credentials.

However user with cluster-admin rights can still easily decode them.

-- Piotr Malec
Source: StackOverflow
10/2/2019

As Matthew pointed out currently, the main question is what you are trying to protect:

  • If you're trying to protect it inside the cluster, you can use Kubernetes RBAC and limit access of specific users to the secret containing those credentials - just create a Role/ClusterRole that denies the permissions to get secrets in a specific namespace (or all namespaces). Then, bind this role (using RoleBinding/ClusterRoleBinding) to the relevant users - see the docs for more details.
  • If you're asking "how to store it securely", Secrets is the way to go (as Piotr pointed out). This raises the question "how to store the secret" - and I cover a few options in this post.

Hope that answer your question :)

-- Omer Levi Hevroni
Source: StackOverflow