New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets should be read-only by root #7554
Comments
Are you talking about the secrets files on the /tmpfs from the node's view? I agree those should be readable only by root. Or are you talking about the mount of the secret volume seen inside the container? Those I don't think need to be readable by root-only by default. There is usually only one application inside the container, and it needs to run as a user that can access the secret, so it can use it. |
It's the latter - I can see there being two types of secrets - one that needs accessing by the application running on the container, and one that may be useful in one-time setup. The one-time setup ones could be more sensitive and need hiding from non-root. |
@pmorie you had mentioned settable secret file permissions. Anything to add to this conversation? |
@erictune @aronchick I missed the tag into this issue. We've gone around about settable permissions for secrets -- perhaps this is another data point we can use to inform that discussion. @aronchick could you give an example of a secret that shouldn't be readable by non-root UIDs? |
@pmorie Sure - let's say I wanted to do something that required root access to the box / elevated access to my database as the container started (e.g. run a migration, check a mount, etc). I would not want this readable by the account that runs the web server on that container, but I would want it to be available on the container when it starts. |
@aronchick There are no sig labels on this issue. Please add a sig label by: |
/sig node |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Well designed applications run as non-root, so having secrets only readable by root would improve the levels of defense in depth.
The text was updated successfully, but these errors were encountered: