3

HashiCorp Vault Agent creates a sidecar that talks to Vault server and injects secrets as files into containers. The agent presumably uses Kubernetes Service Account in some way. But ultimately there must be a secret zero somewhere, protected somehow, and I would like to understand how it works.

What does Vault Agent use to authenticate with Vault Server, and how is that stored on disk, protected by what?

Improve this question
3
  • 2
    vaultproject.io/docs/platform/k8s/injector-csi states: "[Both Agent Injection and Vault CSI solutions] leverage the application’s Kubernetes pod service account token as Secret Zero to authenticate with Vault via the Kubernetes auth method." The Kubernetes service account token is a JWT token created using the Kubernetes API, signed by a private key owned by the API server. However, I think I have the same question to you: is this not yet another secret that could be stolen? Commented Sep 29, 2022 at 15:49
  • That probably means it is protected by the OS account the API server runs under. Commented Sep 30, 2022 at 19:53
  • That's true; however I'd expect the same to be true of a static key used to configure encryption-at-rest of native K8s secrets - which seems to be not recommended! (kubernetes.io/docs/tasks/administer-cluster/encrypt-data/…) Commented Oct 3, 2022 at 9:32

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.