0

Is it possible to configure k8s in a way that empty secrets are not possible?

I had a problem in a service that somewhat the secret got overwritten with an empty one (zero bytes) and thereby my service malfunctioned. I see no advantage of having an secret empty at any time and would like to prevent empty secrets all together.

Thans for your help!

Simon Frey
  • 2,539
  • 2
  • 11
  • 20
  • What version of Kubernetes do you have ? – matt_j Feb 23 '21 at 11:09
  • I am on 1.16.15 but plan to upgrade to 1.17.15 soon – Simon Frey Feb 23 '21 at 12:13
  • If you have Kubernetes `1.19` or higher, you will be able to create [immutable Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable). In Kubernetes `1.18` it's also available but the `ImmutableEphemeralVolumes` feature gate must be enabled. – matt_j Feb 23 '21 at 12:41
  • Nice that kubernetes will support that, but immutable is not solving my problem of empty secrets. – Simon Frey Feb 23 '21 at 14:36

1 Answers1

1

While it's not a simple answer to implement, as best I can tell what you are looking for is an Admission Controller, with a very popular one being OPA Gatekeeper

The theory is that kubernetes, as a platform, does not understand your business requirement to keep mistakes from overwriting Secrets. But OPA as a policy rules engine allows you to specify those things without requiring the upstream kubernetes to adopt those policies for everyone

An alternative is to turn on audit logging and track down the responsible party for re-education

A further alternative is to correctly scope RBAC Roles to actually deny writes to Secrets except for those credentials that are known to be trusted

mdaniel
  • 31,240
  • 5
  • 55
  • 58