Secrets - why base64?
1,008 views
Skip to first unread message
Dan Stroot
Aug 22, 2016, 10:10:31 AM8/22/16
to Kubernetes user discussion and Q&A
Since the secrets system uses base64 to encode secrets it is trivial to decode them. Therefore I cannot commit .yaml or .json publicly with any real secrets in it. Just curious where people "really" store their secrets (creditstash, vault, ?) and maybe some way to read from there directly into a K8S secret somehow? Someone here must have a great solution all figured out (or at least some ideas). If so please share!
Tim Hockin
Aug 22, 2016, 11:35:51 AM8/22/16
to kubernet...@googlegroups.com
The base64 is for storing binary data, not for encryption.
> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.
Dan Stroot
Aug 22, 2016, 11:48:16 AM8/22/16
to Kubernetes user discussion and Q&A
Tim - thanks for taking the time to reply. I am marking this closed since you answered the question in the title. I was really trying ask about how people really manage secrets in Kubernetes since in my limited understanding secrets don't seem much more "secret" than configMaps - I will dig at this another way.
Cheers,
Dan
Rodrigo Campos
Aug 22, 2016, 12:02:56 PM8/22/16
to kubernet...@googlegroups.com
On Mon, Aug 22, 2016 at 08:48:15AM -0700, Dan Stroot wrote:
> Tim - thanks for taking the time to reply. I am marking this closed since
> you answered the question in the title. I was really trying ask about how
> people really manage secrets in Kubernetes since in my limited
We don't have any magic way to do it, we just don't store in any other place and
> Tim - thanks for taking the time to reply. I am marking this closed since
> you answered the question in the title. I was really trying ask about how
> people really manage secrets in Kubernetes since in my limited
we keep it on etcd. But we will revisit this when we have more time.
Let me know if you find an interesting solution :)
> understanding secrets don't seem much more "secret" than configMaps - I
> will dig at this another way.
the node, etc.
Tim Hockin
Aug 22, 2016, 12:34:51 PM8/22/16
to kubernet...@googlegroups.com
They are separate API types so that we can apply different policies to
them, but we don't currently have such policies or external
integrations.
them, but we don't currently have such policies or external
integrations.
Ming Fang
Aug 22, 2016, 12:58:03 PM8/22/16
to kubernet...@googlegroups.com
One option is to use Ansible Vault to encrypt your "secrets".
Here is an example https://github.com/mingfang/kubernetes-playbook
The Ansible inventory file, e.g. services.ini, was encrypted using Vault and is safe to put into source code control.
At runtime you will need to give Ansible your decryption password.
Reply all
Reply to author
Forward
0 new messages