Sealed Secret in Kubernetes #858
Comments
|
We would get into trouble if the private key is somehow compromised: either by specifying a backup key to use teh secret without the controler or by having the secret accessible due to an RBAC misconfiguration. However: i have not seen any of the 2 cases alive yet. @bendehaan : what should we do here? |
|
One of the challenges would still be: how can we implement this in ctf-party? should the controler live in a namespace everyone has access to? |
|
As agreed with @bendehaan :We can implement it for now using a controller with an exposed private key. Assigning this one to you @MarcinNowak-codes |
|
@bendehaan is this still something you want to pick up :) ? |
|
Anyone want to pick this one up :) ? |
|
i want to work on this issue :-) @commjoen |
|
@commjoen has some discussion already done on slack about this issue ?? |
|
Yes. Please check with @bendehaan on Slack. |
|
@Shubham-Patel07 can you, before taking on this issue, first fix the other 2 outstanding PRs please? |
|
I've fixed the outstanding issue now i wanted to give it a try !! |
|
Missing unit tests and textual corrections. Good to know: @Shubham-Patel07 given current RBAC, we could add the hints of accessing the secret directly, meaning all can be done in the same challenge ;-) |
|
Updated #1521 to have both cahllenges combined in this one. |
|
Done with #1521 |
In the repository would be committed file containing Sealed Secret e.g.:
Sealed Secret is asymmetrically encrypted and only the Sealed Secret Controller deployed in Kubernetes can decrypt it. Such decrypted secrets "unsealed" are stored as classic Kubernetes secret.
@commjoen could you describe proposed on Slack attack vector?
The text was updated successfully, but these errors were encountered: