K
Q

Warnings in Kubernetes "Storing keys in a directory '{path}' that may not be persisted outside of the container. "

9/22/2021

We are getting warnings in our production logs for .Net Core Web API services that are running in Kubernetes.

Storing keys in a directory '{path}' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","@l":"Warning","path":"/root/.aspnet/DataProtection-Keys",SourceContext:"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository"

We do not explicitly call services.AddDataProtection() in StartUp, but it seems that we are getting the warnings for services that are using .Net Core 3.1 and .Net 5.(not for .Net Core 2.1) ,that also have in StartUp 

services.AddAuthentication Or 
services.AddMvc()

(May be there are other conditions that I am missing).

I am not able to identify exactly, where it's called but locally I can see related DLLs that are loaded before the access to DataProtection-Keys from XmlKeyManager 

 Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.19\Microsoft.Win32.Registry.dll'. 
 Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.19\System.Xml.XDocument.dll'. 
 Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.19\System.Private.Xml.Linq.dll'. 
 Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.19\System.Private.Xml.dll'. 
 Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.19\System.Resources.ResourceManager.dll'.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:
Using 'C:\Users\..\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.

Is it safe to ignore such warnings, considering that we do not use DataProtection explicitly, do not use authentication encryption for long periods and during testing we haven't seen any issues?

Or the error means that if different pods will be involved for the same client, authentication may fail and it will be better to do something that is suggested in https://stackoverflow.com/questions/61452280/how-to-store-data-protection-keys-outside-of-the-docker-container?

-- Michael Freidgeim
asp.net-core
data-protection
kubernetes

Similar Questions

Kubernetes "nice" a pod's CPU usage
Kubernetes equivalent of 'docker run -it'
Template for human readable date time?
Ingress controller not handling the traffic
Kubernetes Cron Jobs - Run multiple pods for a cron job

1 Answer

10/10/2021

After analysis how our applications are using protected data(authentication cookies, CSRF tokens etc) our team decided , that “Protected data will be unavailable when container is destroyed." is just a warning and would have no customer impact, so we ignore it.

But YMMV.

-- Michael Freidgeim
Source: StackOverflow