[Security] vsphere cloud provider configuration should use secrets for credentials #194
Comments
sflxn
added
the
kind/feature
|
I agree, actually I also noticed this problem when I tried the cluster api first time. |
|
In the cluster.yaml file, I am thinking if we need to use fernet to encrypt the vsphere credential. |
sflxn
added
the
priority/important-soon
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
Currently the cloud config that we generate as
/etc/kubernetes/cloud-config/cloud-config.yamlfile on the master node contains the vsphere credentials in plain text format. vsphere cloud provider supports providing these sensitive credentials via secrets out of the box. (for e.g see the test case here). Note that this approach is supported by both in-tree and out-of-tree version of the vsphere cloud provider.We need to move towards setting the vcenter credentials via secrets for the consumption of the vsphere cloud provider configuration.
However, the only catch here is that today we use kubeadm to setup and configure the kubernetes service with the vsphere cloud provider. Thus, within the workflow if kubeadm we do not have a means to create the secret needed for the vsphere cloud provider prior to starting it. Thus we would need to overcome this limitation somehow.
Note: This issue is different that #9 as that is related to credentials stored as part of the cluster-api objects and this issue is about consumption of the credentials for the vsphere cloud provider that we configure for the target cluster.
The text was updated successfully, but these errors were encountered: