Skip to content

encrypt secrets when in etcd.Β #12742

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
encrypt secrets when in etcd.#12742
Assignees
smarterclayton
Labels
area/secret-apiarea/securitypriority/backlogHigher priority than priority/awaiting-more-evidence.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/service-catalogCategorizes an issue or PR as relevant to SIG Service Catalog.
@erictune

Description

@erictune
erictune
opened on Aug 14, 2015

We should limit access to secrets when in etcd.

Initially discussed in #11937.

Although we discourage it, people seem to want to build their own clusters where etcd is used by both Apiserver and by other components, to store configuration. Secrets want to have Kubernetes access controls on them, and not to be widely readable. Other types of configuration wants to be widely readable.

We could do this in a couple of ways:

  1. use etcd ACLs to limit access to the etcd keys that hold secrets.
  2. encrypt some or all of the secret data when stored.

@liggitt @pmorie
thoughts?

Metadata

Assignees

Labels

area/secret-apiarea/securitypriority/backlogHigher priority than priority/awaiting-more-evidence.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/service-catalogCategorizes an issue or PR as relevant to SIG Service Catalog.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions