Embedded Files
Introduction
Introduction
Laymen explanation
Laymen explanation
Containers need this data to perform basic operations like integrating with other systems. While secrets are critical for the operation of production systems, exposing those secrets puts those systems at risk. Then how to handle secret safely? This document helps in this side
Technical explanation
Technical explanation
Handling secrets (passwords, keys and related) in Docker is a recurring topic. While Docker provides an efficient development and deployment environment, compromised Docker components can infect your entire infrastructure. Managing container secrets is an important step towards this.
Security Tips
Security Tips
Don'ts
Don'ts
Never build the secret value into the code itself
Never bake secret in container image
Prefer not to store secret as environment variable
Do's
Do's
Use volume mounts to pass secrets to a container at runtime
Restrict access to a secret to the set of people who really need it.
Have a plan for rotating secrets
Make sure your secrets are encrypted
Use K8s secret, vaults for this purpose
K8s built-in secrets case study
K8s built-in secrets case study
The recommended way to authenticate to the apiserver is with a service account credential. Kubernetes Service Accounts automatically create secrets and attach them to containers with API Credentials.
By kube-system, a pod is associated with a service account, and a credential (token) for that service account is placed into the filesystem tree of each container in that pod, at /var/run/secrets/kubernetes.io/serviceaccount/token
Never build the secret value into the code itself
Never build the secret value into the code itself
First, it means that anyone who can see the source code also has access to the secret value. The more people who can read a secret value, the more likely it is to get compromised
Secondly, secret will be coupled to the life cycle of code and so, secret cannot be rotated. If you want to change a password or rotate a key, you need to rebuild and re-deploy the code.
Never bake secret in container image
Never bake secret in container image
Images with embedded secrets are not secure. Anyone with access to the image will be able to pull and examine secrets, even if they are in masked layers.
Prefer not to store secret as environment variable
Prefer not to store secret as environment variable
The danger of using environment variables is accidental leakage. It's easy for the secrets to be accidentally leaked through logging, as it's common for software to log its entire environment. The set of people who have access to logs is often much bigger than the people who need production key values.
Reference
Reference
https://techbeacon.com/devops/how-keep-your-container-secrets-secure
https://docs.docker.com/engine/swarm/secrets/
https://medium.com/@mccode/dont-embed-configuration-or-secrets-in-docker-images-7b2e0f916fdd
https://blog.aquasec.com/docker-security-best-practices
https://blog.aquasec.com/managing-kubernetes-secrets
Page updated
Google Sites
Report abuse