Using Kubernetes Native Secret Management
- Query id: b9c83569-459b-4110-8f79-6305aa33cb37
- Query name: Using Kubernetes Native Secret Management
- Platform: Kubernetes
- Severity: Info
- Category: Secret Management
- CWE: Ongoing
- URL: Github
Description¶
Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Secret
metadata:
name: cluster-secrets
data:
# Fill with your encoded base64 CA
certificate-authority-data: Cg==
stringData:
# Fill with your string Token
bearerToken: "my-token"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-kvname
namespace: myNameSpace
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "<key Vault Name>"
objects: |
array:
- |
objectName: secret1
objectType: secret
- |
objectName: key1
objectType: key
tenantId: "<tenant ID which the Key Vault sits under"
secretObjects:
- secretName: appsecrets
data:
- key: secret1
objectName: secret1
type: Opaque
Negative test num. 2 - yaml file
apiVersion: v1
kind: Secret
metadata:
name: cluster-secrets
data:
# Fill with your encoded base64 CA
certificate-authority-data: Cg==
stringData:
# Fill with your string Token
bearerToken: "my-token"
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-kvname
namespace: myNameSpace
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "<key Vault Name>"
objects:
array:
- {objectName: secret1, objectType: secret}
- {objectName: key1 , objectType: key}
tenantId: "<tenant ID which the Key Vault sits under"
secretObjects:
- secretName: appsecrets
data:
- key: secret1
objectName: secret1
type: Opaque