I am trying to avoid kubernetes secrets view-able by any user. I tried sealed secrets, but that is just hiding secrets to be stored in version control. As soon as I apply that secret, I can see the secret using the below command.
kubectl get secret mysecret -o yaml This above command is still showing base64 encoded form of secret.
How do I avoid someone seeing the secret ( even in base64 format) with the above simple command.
You can use Hashicrop Vault or kubernetes-external-secrets (https://github.com/godaddy/kubernetes-external-secrets).
Or if you just want to restrict only, then you should create a read-only user and restrict the access for the secret for the read-only user using role & role binding.
Then if anyone tries to describe secret then it will throw access denied error.
Sample code:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: test-secrets namespace: default rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch - create - delete - apiGroups: - "" resources: - pods/exec verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-secrets namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: test-secrets subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: demo The above role has no access to secrets. Hence the demo user gets access denied.
There is no way to accomplish this with Kubernetes internal tools. You will always have to rely on a third-party tool.
Hashicorps Vault is one very often used solution, which is very powerful and supports some very nice features, like Dynamic Secrets or Envelope Encryption. But it can also get very complex in terms of configuration. So you need to decide for yourself what kind of solution you need.
I would recommend you using Sealed-Secrets. It encrypts your secrets and you can push the encrypted secrets safely in your repository. It has not such a big feature list, but it does exactly what you described.
You can Inject Hashicrop Vault secrets into Kubernetes pods via Init containers and keep them up to date with a sidecar container.
More details here https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
There is a VMware Secrets Manager for Cloud-Native Apps, a secure secret management store. It provides a minimal and intuitive API, ensuring practical security without compromising user experience.
https://github.com/vmware-tanzu/secrets-manager
Official documentation: https://vsecm.com/
