Authenitcation Security Model with Vault and Vault-Agent

Hello all,

I have a question regarding the security of Vault and Kubernetes integration.

I am mounting a Vault-Agent as an Init Container and then writing the Vault Token in a “sink” so afterwards the Consul Template can read it and use it to retrieve secrets which will be passed to the application using volumes. The Consul Template is deployed as a sidecar together with the application container.

A person who has access to the Kubernetes Cluster could simply exec inside the application container and read the contents of the secrets. However, secrets should be only visible by the application itself (which is the one that really needs to know the secret, not someone that can access the Cluster). To solve that I used the hook lifeCycle -> postStart that Kubernetes Pods offer to remove the secret mounted in the container filesystem (that is something that is not explained on the docs, probably it would help reflecting that).

Once this is done the secret is not visible anymore inside the container nor the cluster itself. However, a question arises. A person that has access to the Kubernetes Cluster could easily find the JWT of the Service Account associated to the pod and Vault and afterwards authenticate against it to retrieve the secret.

Am I missing something? Otherwise I do not clearly see here the Security Model with how Vault and Vault-Agent glue together.

Thanks.

Marc