Vault Token in ENV var

Question

Vault Token in ENV var

Closed this issue 5 years ago · 2 comments

Neat implementation! Suggest that you move the KUBERNETES_VAULT_TOKEN from a static definition on the ENV of the deployment to a separate secret file that the deployment mounts in with secretKeyRef. Anyone with the ability to get/list deployments will be able to steal the vault token and get all the secrets it has access to. Fewer roles/clusterroles allow get/list of secrets than deployments, so this improves the access control surrounding that sensitive token.

        env:
        - name: KUBERNETES_VAULT_TOKEN
          valueFrom:
            secretKeyRef:
              name: vault-crd-secret-name
              key: "token"

Answer 1 · 2019-03-12T18:49:13.000Z

Hi @bgeesaman,

Thank you for your response. Let's continue our discussion here ;-)
You are completely right! I'll update the deployment.yaml.

I think the way with a static Vault Token is also not the preferred, I made a change in the past to also support Service Account Authentication. So for me the Vault Token as static one is not so secure.

I created also a helm chart, but unfortunately I had no time so far to deploy it :-)

Together with an envoy proxy you have I think a good way to enable tls communication between microservices and up to date tls that refreshes automatically.

Answer 2 · 2019-03-12T19:01:01.000Z

Sure. Ideally, you're using Kubernetes SA Auth to fetch this client token. But for now, this small change at least improves the current implementation a bit.