kubectl-whisper-secret plugin allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc
Installing with krew
kubectl krew install whisper-secret
Installing with wget
wget https://github.com/rewanthtammana/kubectl-whisper-secret/releases/download/v1.1.0/kubectl-whisper-secret-Linux-x86_64.tar.gz
sudo tar xvf kubectl-whisper-secret-Linux-x86_64.tar.gz -C /usr/bin/
Analyze the examples below
$ kubectl create secret generic my-secret --from-literal key1=value1 --from-literal key2=value2
$ kubectl create secret docker-registry my-secret --docker-password s3cur3D0ck3rP@ssw0rD
kubectl create secret
has a few sub-commands we use most often that can possibly leak sensitive information in multiple ways like terminal history, shoulder surfing, etc.
kubectl whisper-secret
plugin allows users to create secrets with secure input prompt for fields like --from-literal
and --docker-password
that contain sensitive information
$ kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2
Enter value for key1:
Enter value for key2:
secret/my-secret created
$ kubectl whisper-secret docker-registry my-secret --docker-password -- -n test --docker-username admin
Enter value for docker password:
secret/my-secret created
$ kubectl whisper-secret docker-registry my-secret --docker-password --verbose -- -n test --docker-username admin
Enter value for docker password:
[+] Command: kubectl create docker-registry my-secret --docker-password abcdef -n test --docker-username admin
secret/my-secret created
$ kubectl whisper-secret docker-registry my-secret --docker-password --print-only
Enter value for docker password:
[*] Command: kubectl create docker-registry my-secret --docker-password abcdef
Build from Makefile
make build
Build only for Linux
make build-linux
Build with go
go get ./...
go build -o kubectl-whisper-secret main.go
mv kubectl-whisper-secret /usr/bin
Cross platform builds with go
go get ./...
GOOS=windows GOARCH=amd64 go build -o kubectl-whisper-secret.exe main.go
rewanth@ubuntu:~/go/src/kubectl-whisper-secret$ kubectl whisper-secret -h
"kubectl whisper-secret" creates kubectl secrets by taking sensitive input from console.
More info: https://github.com/rewanthtammana/kubectl-whisper-secret
Usage:
kubectl-whisper-secret [flags]
kubectl-whisper-secret [command]
Examples:
Create generic secret in default namespace:
$ kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2
Provide non-existing/unknown flags after double hypen (--)
Create generic secret in test namespace:
$ kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2 -- -n test
Create docker-registry secret in default namespace:
$ kubectl whisper-secret docker-registry my-secret --docker-password -- --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-email=DOCKER_EMAIL
Available Commands:
docker-registry Take docker-registry password input from console
generic Create generic secrets by taking input from console
help Help about any command
Flags:
-h, --help help for kubectl-whisper-secret
Use "kubectl-whisper-secret [command] --help" for more information about a command.