|
|
|
|
|
|
by theptip
3802 days ago
|
|
|
Are the k8s Secrets still stored in plaintext in the etcd datastore? Seems that this feature is a bit half-baked right now -- though I'd love to me mistaken on this point. The k8s docs mention shredding your apiserver hard drives once you're done with them; that's hardly feasible in a cloud environment. Also on access control, any process with root on any node in your cluster can get access to all your secrets (since the kubelet needs to be able to do so). There are no user access controls either; any cluster admin can dump all the secrets. This stuff is clearly documented, so it's not an indictment on k8s; I just get the feeling that the feature isn't really ready for production use yet. |
|
|
That still leaves the secret in plain view on the nodes that run the pod that needs the service. It would be great to be able to umount the secret when not needed anymore.