[Question] A better way to handle deletion of sensitive data/files? #40
Labels
question
Further information is requested
Milestone
Comments
|
Closing. A better solution will be available in v 1.1.0. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've spent the weekend fixing and improving things around the env-injector. One of the tings that now seams to work fine, is removing sensitive files (the injector executable
azure-keyvault-envand if running inside Azure without custom auth, theazure.jsonhost file containing AKS credentials - ref #25 )The main problem to solve, is that we don't know how much privileges (or which user) the executing container has, so my current solution is to
chmodthe/azure-keyvaultdirectory and its files with777(ref: azure-keyvault-secrets-webhook) and then have the executing container (throughthe azure-keyvault-envexecutable) delete the files (ref: azure-keyvault-env) as soon as they are not needed anymore.Even though these files only exist in a in-memory volume for a few milliseconds, it still feels weird to use
777.Anyone have a better solution? Do you see any reel security issues with the current solution?
The text was updated successfully, but these errors were encountered: