[英]Kubernetes secret is really secret?
While I developed an API server, I needed to give some account information to API server, which should not be shown to anyone.当我开发了一个 API 服务器时,我需要向 API 服务器提供一些帐户信息,这些信息不应该向任何人显示。 K8s recommends secret for this kind of situation, so I used.
K8s针对这种情况推荐secret,所以我用了。
But I wonder if the secret is really secret.但我想知道这个秘密是否真的是秘密。 Secret is just base 64 "encoded" text, not "encrypted".
Secret 只是 base 64“编码”文本,而不是“加密”文本。
When I see an arbitary secret like below,当我看到像下面这样的任意秘密时,
namespace: ZGVmYXVsdA==
I can easily know the real value of it by decoding.通过解码我可以很容易地知道它的真正价值。
namespace: default
In such a this situation, is secret really helpful for security?在这种情况下,秘密真的对安全有帮助吗? What I know about the security advantage of secret is that it is on-memory not on-node file system.
我所知道的秘密的安全优势是它是内存而不是节点文件系统。 But I think that is not enough for security.
但我认为这还不够安全。
Thank you.谢谢你。
FromKubernetes Secrets documentation :来自Kubernetes 秘密文档:
Risks风险
Also check great post Can Kubernetes Keep a Secret?另请查看很棒的帖子Kubernetes 可以保密吗? It all depends what tool you're using , especcially " What's wrong with Kubernetes plain Secrets? " part..
这完全取决于您使用的是什么工具,尤其是“ Kubernetes 普通秘密有什么问题? ”部分..
I hope that answered your question, but generally @Harsh Manvar is right: you should have an access first to that secret.我希望这回答了您的问题,但通常@Harsh Manvar 是正确的:您应该首先访问该秘密。
You should limit access using authorization policies such as RBAC.您应该使用授权策略(例如 RBAC)来限制访问。
You'll need to create a Role/ClusterRole
with appropriate permissions and then bind (using RoleBinding/ClusterRoleBinding
) that to a user and/or a service account (can be used in pod definition then), depending on your use case.您需要创建一个具有适当权限的
Role/ClusterRole
,然后根据您的用例将其绑定(使用RoleBinding/ClusterRoleBinding
)到用户和/或服务帐户(然后可以在 pod 定义中使用)。
You can look at the documentation here to create Role & ClusterRole and the docs here for RoleBinding and ClusterRoleBinding.您可以在此处查看文档以创建角色和 ClusterRole,并在此处查看用于 RoleBinding 和 ClusterRoleBinding 的文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.