0

We are seeing the plain credentials as part of k8s pull secrets file. Is there any way to safely secure them so that admin/user who have full rights cannot misuse them?

Pull-Secret Example:

.dockercfg: 
   {"dockercentral.test.com:5050":
      {"username": "test.it.com",
       "password":"dwew32",
       "email":"mark.test@yahoo.com",
       "auth":"br23231fsdfdfsdfs3211"
      }
   }

Above is the Pull-secrets file, where we see the user name and password values as plain text. Please help on safely securing them in k8s!

Laurenz Albe
  • 209,280
  • 17
  • 206
  • 263
Manigandan Thanigai Arasu
  • 627
  • 3
  • 10
  • 24
  • 2
    All Secrets are merely base64-ed within kubernetes, but are you trying to defend against someone with `cluster-admin` gaining access to your secrets in the cluster? What is the threat model you are trying to defend against here? – mdaniel Oct 01 '19 at 06:44
  • @MatthewLDaniel does it need `cluster-admin` though? Doesn't every kubelet have access to everything as well. So taking over _any_ node leaks all the secrets. – zerkms Oct 02 '19 at 06:45
  • Yes, kubelet necessarily needs access in order to create containers. As for the Node, if you are allowing people to gain `root` access to your Nodes, they will have access to all the bind mounts and docker environment variables therein. Perhaps a system like [vault](https://github.com/hashicorp/vault#readme) has security guarantees you would like better? As several people have asked, what is the treat model you are trying to defend against? – mdaniel Oct 02 '19 at 16:07
  • @MatthewLDaniel I'm not the OP. I just pointed out that your example is a bit extreme (as there are some other significantly less powerful roles with much more realistic vector attacks) and one does not need to be `cluster-admin` to gain access to kubernetes secrets. – zerkms Oct 03 '19 at 03:06

2 Answers2

0

You can follow this guide from kubernetes documentation to create secret of docker-registry type to authenticate with a container registry.

Example of docker-registry secret:

apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
namespace: awesomeapps
data:
.dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjson

As You can see this kind of secret doesn't have plain text credentials.

However user with cluster-admin rights can still easily decode them.

Piotr Malec
  • 3,429
  • 11
  • 16
0

As Matthew pointed out currently, the main question is what you are trying to protect:

  • If you're trying to protect it inside the cluster, you can use Kubernetes RBAC and limit access of specific users to the secret containing those credentials - just create a Role/ClusterRole that denies the permissions to get secrets in a specific namespace (or all namespaces). Then, bind this role (using RoleBinding/ClusterRoleBinding) to the relevant users - see the docs for more details.
  • If you're asking "how to store it securely", Secrets is the way to go (as Piotr pointed out). This raises the question "how to store the secret" - and I cover a few options in this post.

Hope that answer your question :)

Omer Levi Hevroni
  • 1,935
  • 1
  • 15
  • 33