question

IamCoder-6455 avatar image
0 Votes"
IamCoder-6455 asked IamCoder-6455 edited

how to secure Antifactory credential over AKS K8S secrets?


Team,

To deploy workload on AKS, my docker images sits on Antifactory and I am not using Azure ACR. To do so we have stored Antifactory credential in AKS K8S secrets.


And accordingly our YAML definition like below,

imagePullSecrets:
- name: my-artifactory-credential

Question is, since AKS K8S secrets storing data just as bas64 encoded, what are the ways to make it secure?

Can I put this to Azure Key Vault, but how use when Image pulls from Antifactory?

Can we encrypt some way and decrypt whenever required ? Please suggest. Thanks.

azure-kubernetes-service
capture.png (19.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

srbose-msft avatar image
3 Votes"
srbose-msft answered

@IamCoder-6455 , Thank you for your question.

If you configure the secret through a manifest (JSON or YAML) file which has the secret data encoded as base64, sharing this file or checking it in to a source repository means the secret is compromised. Base64 encoding is not an encryption method and is considered the same as plain text. This is one of the Risks with Secrets in upstream Kubernetes.

Kubernetes secrets are stored in etcd, a distributed key-value store. Etcd store is fully managed by AKS and data is encrypted at rest within the Azure platform. You can check the Azure Encryption at Rest Components here. Read more on Encrypting Secret Data at Rest in Kubernetes. When you use kubectl to fetch secrets, they are decrypted and returned.

  • Secrets are only provided to nodes with a scheduled pod that requires them.

  • The Secret is stored in tmpfs, not written to disk.

  • When you delete the last pod on a node requiring a Secret, the Secret is deleted from the node's tmpfs.

For more information please check this document.

At the time of writing, AKS does encrypt secrets at rest, but keys are managed by the service and users cannot bring their own. [Reference]


Having said that, AKS isn't currently natively integrated with Azure Key Vault. However, the Azure Key Vault provider for CSI Secrets Store enables direct integration from Kubernetes pods to Key Vault secrets. [Reference]

Azure Key Vault provider for Secrets Store CSI driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. [Reference]

The CSI driver mounts the secret inside the container as a volume, but the image pull secret is needed prior to the container being created and the volume mounted, so the secret will not be available during ImagePull. One possibility can be to use an Init Container using an image from a public repository like nginx or busybox etc. which can Sync Mounted Content with Kubernetes Secret before the main container's image is pulled using the synced imagePullSecret. But this too will in effect create a Secret Object on the AKS cluster based on the Azure Key Vault Secret and you might add an additional step to remove it after the Pod is created.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IamCoder-6455 avatar image
0 Votes"
IamCoder-6455 answered

Appreciate for details concept and answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.