Move Elasticsearch username and password from configmap to Kubernetes secret

Question

Move Elasticsearch username and password from configmap to Kubernetes secret

asoleimanibo opened this issue 3 years ago · 4 comments

Hello,
I think this is not appropriate to store Elasticsearch username and password in form of the cleartext in Kubernetes configmap and it should move to a secret.

Answer 1 · 2021-08-24T12:48:14.000Z

Kubernetes secrets are also plaintext if you have read access. Base64 is not encryption. People generally restrict access to Secret objects to ensure it's not readable by anyone.

Answer 2 · 2021-08-24T12:58:13.000Z

yes of course, but it is possible to restrict user access to secrets but there is no way to do that for configmap, so I think it is better to move Elasticsearch username and password to secret.

Answer 3 · 2021-08-24T13:06:45.000Z

Most of the RBAC can be achieved with Roles/ClusterRoles for any object (incuding configmaps) and API verb (get, put, delete)

See: https://kubernetes.io/blog/2017/10/using-rbac-generally-available-18/

Answer 4 · 2022-07-06T21:22:28.000Z

Even though it closed; i would like to add & emphasize @soleimaniamir 's point:
A lot of tooling around Kubernetes, esp CI tools consider secrets as such and hide/mask their output.
On the other hand, config-maps are dumped/exposed/logged at a lot of places by default always running the risk of an unwanted exposure by stuffing secrets into them