Skip to content

Release 1.1.0-beta.4

Pre-release
Pre-release
Compare
Choose a tag to compare
@torresdal torresdal released this 17 Mar 22:09
· 658 commits to master since this release
1.1.0-beta.4
f2550fc

This is a beta release to verify several fixes to the env-injector as described in issue #42. There were two main issues:

  1. The env-injector copied azure.json (containing AKS Service Principal) to every Pod using secret injection and users could exec into the pod and view the file content. Deleting the file was not an option, since it would prevent the container from recovering from errors (Pod restarting container) as the file was needed to authenticate with AKV.
  2. A user could exec into a Pod and execute /azure-keyvault/azure-keyvault-env printenv and it would download and print out all injected secrets

The implemented solution:

  1. A auth endpoint, protected by a client certificate, is added to the env-injector webhook. The azure-keyvault-env executable will call this endpoint (instead of using credentials from azure.json), and get a oauth token to access AKV. This solution prevents the AKS Service Principal credentials to be revealed inside the Pod, but still using the same credentials.
  2. To prevent arbitrary arguments to be passed to /azure-keyvault/azure-keyvault-env (like printenv) the env-injector webhook creates a signature of the original arguments and azure-keyvault-env checks that signature before executing. This prevents revealing secrets in plain text when exec into Pod.

Installation / Upgrade

To upgrade existing Helm chart, do:

helm repo update

and pass on --version 1.1.0-beta.1 to helm upgrade

See https://akv2k8s.io/installation for other details

Assets 2
Loading