/secret-mutator-admission-webhook

Cloud-Army-Secret-Injector read secrets from GCP Secret Manager and automatically injects the values as environment variables to the application subprocess.

Primary LanguageGoApache License 2.0Apache-2.0

cloud-army-secret-admission-controller

This is a [Kubernetes admission controller] to be used as a mutating admission webhook to add a container-init with a custom binary that extract secrets from GCP Secret Manager and to push this secrets to the container entrypoint sub-process. This solution can be used to compliance with the CIS Kubernetes Benchmark v1.5.1 specially with the control id: 5.4.1 (no-secrets-as-env-vars).

Requirements

  • Google Kubernetes Engine (GKE) with Workload Identity enabled and binding between KSA and GSA (view K8S references).

NOTE: Make sure that the GSA have roles/secretmanager.secretAccessor IAM Role assigned.

  • Cert-manager controller should be installed on Kubernetes GKE (view K8S references)

  • Ensure you have the admission-webhook=enabled label in the namespace where you want to run your applications (*)

Installation:

Deploy Admission Webhook

To configure the cluster to use the admission webhook and to deploy said webhook, run the nexts installation steps:

helm repo add cloud-army https://cloud-army.github.io/helm-charts

helm install cloud-army-secret-injector cloud-army/cloud-army-secret-injector

🚨 IMPORTANT NOTE: Cert-manager controller should be installed in your cluster (view K8S references) 🚨

Then, make sure the admission webhook resources are correctly configured (in the mutator namespace):

NAME                                           READY   STATUS    RESTARTS   AGE
pod/carmy-kubernetes-webhook-87c777467-rkc9s   1/1     Running   0          35s
pod/carmy-kubernetes-webhook-87c777467-wqztv   1/1     Running   0          35s

NAME                               TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/carmy-kubernetes-webhook   ClusterIP   10.192.49.76   <none>        443/TCP   36s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/carmy-kubernetes-webhook   2/2     2            2           36s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/carmy-kubernetes-webhook-87c777467   2         2         2       36s

Usage:

Deploying pods

Build and Deploy a test pod that gets secrets from GCP Secret Manager and print its in the pod console.

ℹ️ (*) Remember that: The namespace where running the applications should be labeled with admission-webhook: enabled:

kubectl label namespaces [applications_namespace] admission-webhook=enabled

🚀 Building and Deploying a test pod...

kubectl apply -f manifests/pods-example/pod-example.yaml

pod/envserver created

apiVersion: apps/v1
kind: Deployment
metadata:
  name: envprinter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: envprinter
  template:
    metadata:
      labels:
        app: envprinter
    spec:
      containers:
      - name: envprinter
        image: # docker image of your application here
        imagePullPolicy: Always
        command: ["entrypoint.sh"] # Use entrypoint.sh command as a standard name

🚨 IMPORTANT NOTE: Only for test, you should create a docker image with a simple entrypoint that use printenv & sleep with time in seconds, a envsecrets-config.json file, and running the pods using Workload Identity🚨

About the envsecrets-config.json file, it is the place were declaring the GCP Secrets resources that you need consume, and it's his estructure is:

{
    "secrets":[
        {
            "env":"",
            "name":"projects/GCP_PROJECT_NUMBER/secrets/GCP_SECRET_NAME/versions/latest"
        }
    ],
    "config":
        {
            "convert_to_uppercase_var_names": true
        }
}

asciicast

For more information about the envsecrets-config.json file, check this repo https://github.com/cloud-army/envsecrets

Security Controls Compliance

CIS Google Kubernetes Engine (GKE) Benchmark v1.5.1 controls:

  • 5.4.1 Prefer using secrets as files over secrets as environment variables

NOTE: Handle secrets as environment variables inside a container is also a bad practice, this method enables to handle the secrets as a environment variable for ONLY the PID of the running application, wich is more secure for every runtime application.

  • 6.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity

Contributing:

Please see the contributing guidelines.

License:

This library is licensed under Apache 2.0. Full license text is available in LICENSE.

K8S references: