While I developed an API server, I needed to give some account information to API server, which should not be shown to anyone. K8s recommends secret for this kind of situation, so I used.
But I wonder if the secret is really secret. Secret is just base 64 "encoded" text, not "encrypted".
When I see an arbitary secret like below,
namespace: ZGVmYXVsdA==
I can easily know the real value of it by decoding.
namespace: default
In such a this situation, is secret really helpful for security? What I know about the security advantage of secret is that it is on-memory not on-node file system. But I think that is not enough for security.
Thank you.
FromKubernetes Secrets documentation :
Risks
Also check great post Can Kubernetes Keep a Secret? It all depends what tool you're using , especcially " What's wrong with Kubernetes plain Secrets? " part..
I hope that answered your question, but generally @Harsh Manvar is right: you should have an access first to that secret.
You should limit access using authorization policies such as RBAC.
You'll need to create a Role/ClusterRole
with appropriate permissions and then bind (using RoleBinding/ClusterRoleBinding
) that to a user and/or a service account (can be used in pod definition then), depending on your use case.
You can look at the documentation here to create Role & ClusterRole and the docs here for RoleBinding and ClusterRoleBinding.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.