You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've spent the weekend fixing and improving things around the env-injector. One of the tings that now seams to work fine, is removing sensitive files (the injector executable azure-keyvault-env and if running inside Azure without custom auth, the azure.json host file containing AKS credentials - ref #25 )
The main problem to solve, is that we don't know how much privileges (or which user) the executing container has, so my current solution is to chmod the /azure-keyvault directory and its files with 777 (ref: azure-keyvault-secrets-webhook) and then have the executing container (through the azure-keyvault-env executable) delete the files (ref: azure-keyvault-env) as soon as they are not needed anymore.
Even though these files only exist in a in-memory volume for a few milliseconds, it still feels weird to use 777.
Anyone have a better solution? Do you see any reel security issues with the current solution?
The text was updated successfully, but these errors were encountered:
I've spent the weekend fixing and improving things around the env-injector. One of the tings that now seams to work fine, is removing sensitive files (the injector executable
azure-keyvault-env
and if running inside Azure without custom auth, theazure.json
host file containing AKS credentials - ref #25 )The main problem to solve, is that we don't know how much privileges (or which user) the executing container has, so my current solution is to
chmod
the/azure-keyvault
directory and its files with777
(ref: azure-keyvault-secrets-webhook) and then have the executing container (throughthe azure-keyvault-env
executable) delete the files (ref: azure-keyvault-env) as soon as they are not needed anymore.Even though these files only exist in a in-memory volume for a few milliseconds, it still feels weird to use
777
.Anyone have a better solution? Do you see any reel security issues with the current solution?
The text was updated successfully, but these errors were encountered: