I am very new to kubernetes and vault and am just now learning about vault-k8s. After reading the blog post about it I have a hopefully simple question. If I have an app that needs a dynamic secret and I choose to use vault-k8s to provide that secret, does that mean that the secret is written to disk on the app’s container? If so, isn’t that a security concern? I thought the best place to store a secret was temporarily in memory? I feel that I am missing something because to me it seems like if an attacker could get access to the file system, then they could potentially get access to sensitive credentials.
It’s a balancing act between ease of use and complexity and automation vs. security. It’s up you to decide what’s secure in your environment and how much are you willing to forgo to make it “more secure”.
That said, you have options for your secrets. I’m just a beginner in Kubernetes, but from what I have seen in production environments, it’s simple to secure a pod – out of the box each pod only has access to itself and kubeadmins are the only ones that could get around that. I believe you can even eliminate that access (someone who knows kubernetes can correct me there).
To answer your second question, if an attacker has access to the kubernetes environment or even the pod itself, the secrets are not secrets anymore, no matter what you do. The secret-zero issue, exists, and there has to be trust at some level, if that’s compromised the best you can hope for is to restrict what secrets have been exposed and be able to rotate them out as quickly as possible.
Ah that makes perfect sense actually! Thank you for that explanation. I guess a simple middle ground is to have a system in place to simply delete the secret if it is only used/needed once so that it is not just sitting on the hard drive. You are right about it being a balancing act though.
You only need to leave the secrets on the filesystem if you want to have sidecar and updated secrets.
If you only get them via initcontainer, as soon as you source the secret file to get environment variables out of it, the secret file can be deleted.