This is more of a question since I didn’t manage to find it anywhere and is related to image GitHub - hashicorp/vault-k8s: First-class support for Vault and Kubernetes..
When one works “semi-manually” I believe it is possible to retrieve secrets either directly through Vault or looking at history itself. What I mean by “semi-manually” is with for example exec into vault pod (
kubectl exec -it vault-0 -- sh) and either:
vault kv put ...
What this in turn allows is for someone else with access to cluster to also exec into vault pod and do:
history | grep exportto get token and reuse it (and look all secrets this token has access to)
history | grep "kv put"to get secret directly
This can be of course mitigated by:
- deleting token
- deleting pod where either token or secret was entered
- delete history file in pod (
echo "" > ~/.ash_history)
- using scripts to enter secrets
Note that neither space prefix nor
history -d works in this image. This probably also affects non-k8s where “deleting pod” might be less trivial.
Now, this might be also due to misuse on my part. I am sorry if I missed question or something in documentation that mentions this shouldn’t be used in such a way