-
Notifications
You must be signed in to change notification settings - Fork 401
Avoid putting secrets to ETCD #46
Comments
Hey @max-lobur, how much does using encryption at rest mitigate your concerns around etcd storage? |
|
Thanks, that's helpful for understanding the potential priority of an addition like this. |
Inlcude an example of using `npm run poll` as an Init Container. Part of the design proposed here: #46
Inlcude an example of using `npm run poll` as an Init Container. Part of the design proposed here: #46
I did some planning for this and some initial implementation work:
Feel free to jump in a give feedback (especially on #78) or help out with coding 😛 |
If etcd is encrypted does all of this still matter? My understanding is that EKS does encrypt etcd; aws/containers-roadmap#263 (comment). I haven't verified, but I assume EKS uses KMS to encrypt etcd. |
Yes it matters because it's unencrypted in etcd api / k8s api. Implementation example https://github.com/cruise-automation/daytona |
Can't K8s API access be controlled using rbac? I understand that there are integrations for vault that don't store secrets in etcd. This one: https://github.com/banzaicloud/bank-vaults uses a mutating admission webhook. I'm not suggesting that they're all getting it wrong. I'm just trying to fully understand it if I can. |
You can encrypt the actual value in etcd on EKS this way -> https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/ Note that this is not at rest, the kms encryption happens at the k8s api level, before it's stored in etcd. I believe other k8s implementations should support envelope encryption with a CMK as well. |
Hi, |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
This issue was closed because it has been stalled for 30 days with no activity. |
Current implementation creates an etcd object with base64 encoded secret, which may potentially leak later.
Allow to put secrets to a volume, e.g. add a mutation webhook which adds an initContainer, which fetches & writes secrets to a volume shared with a container.
Pros:
The text was updated successfully, but these errors were encountered: