I was reading about Kubernetes Auth method, and I think it is great, but I have one question with this method you are effectively putting inside each pod the token (unencrypted) which means that if an attacker gets access to the pod, it can take the token, authenticate against vault and get all the secrets. So it seems that the Kubernetes Auth alone is not enough and you need to add some extra layer.
Am I right? Or I am missing something?
Thank you very much.
That’s a good question. Yes, you’re correct, if an attacker gets access to the pod, the token can easily be compromised. The reason we do it this way is, we intend for folks to use RBAC to deny such access to pods. For instance, if you wanted to use the command line inside a pod, you’d run a command like $ kubectl exec -it vault -- /bin/bash
. So, one permission you wouldn’t grant lightly through RBAC would be the "exec"
permission.
I hope that helps.
Ok thanks. Yes then it is secured but it depends on other system to be really secured, and well if this third system (RBAC) fails then you are stuck. Don’t get me wrong I really love the Kubernetes auth method, but just to be sure to have all the protections that should be done.
Yes, you make fantastic points. We are currently actively working on increasing our documentation around Kubernetes, and we should definitely point this out. I will make sure we include it.
Actually it happens the same with vault agent right? Secrets are mounted in filesystem but in plain text.