Comments (7)
Has there been any progress made towards KMS support? I would like to have the sealed secret controller use a KMS key instead of generating a new key when it is loaded on the cluster. This is so that in the event of a system failure and my cluster gets wiped out, I do not have to go and regenerate all my sealed secrets again. As it is though I need to keep track of my un-encrypted secrets as a recovery procedure.
from sealed-secrets.
Re (2):
The way sealedsecrets were intended to be used is that they deliberately don't provide an authentication mechanism. The public key is meant to be widely distributed and available for anyone who wants it - the only thing you can do with the public key is propose a valid SealedSecret object. From that point, the SealedSecret is just another piece of config, and it's up to your regular config approval mechanisms (RBAC, git review/approval, etc) to work out whether this particular change should be permitted - no different to the way you would authorise a change to (eg) the command line flags in a Deployment
.
At one extreme, the key can even be committed to source control along with everything else for ease of use (eg: https://github.com/anguslees/k8s-home/blob/master/sealkey.crt).
Unfortunately, I think this point got lost somewhere thanks to a kubeseal convenience feature where it will fallback to querying the k8s server to find the encryption key, if none is given on the command line. This seems to be a really common misunderstanding, and if I had a time machine, I would go back and implement only --fetch-cert
/--cert
:(
With that in mind, the rest of this bug makes sense. The only real challenge is working out how to represent this in code/options in a pluggable fashion - I imagine once we support more than vanilla Secrets then suddenly we'll get me-too requests for every other system capable of storing the master key...
from sealed-secrets.
Yeah sure, I agree on the goals and maybe it's less transparent than it could be. One of the current problems for review is it's tricky to see whether a secret looks valid. #63 should help a little bit.
I had a bit more of a look through RBAC and found resourceNames
which can be used to restrict to a particular secret name. However, it only supports exact matches so no easy way to say an admin can view all secrets apart from the sealed-secrets one. I think KMS may actually improve the security in this regard.
from sealed-secrets.
@ayk33 I don't know what people have been working on privately, but no I haven't seen any PRs related to this.
from sealed-secrets.
Has anyone proposed making use of the asymmetric key support of AWS KMS? There is currently a PR out on this repo for KMS support but it seems to rely on the use of symmetric CMKs. ( This is my assumption because AWS states the encryption context passed in that PR is incompatible with the RSA OAEP encryption used by asymmetric CMKs ). I wonder whether the use of asymmetric CMK(s) would fit better with the existing architecture. Essentially the RSA key could be created through the AWS KMS APIs, the private key stays in secure hardware and the public key can be exported and retrieved similar to the current scheme. Ephemeral symmetric key generation, encryption, decryption could all be done in a similar fashion to the current logic. This would allow new secrets to be sealed without having to grant every user doing so AWS KMS access.
If this path were to be pursued - would we want to grant the sealed-secrets operator permissions to create new CMKs? It seems like automatic "rotation" (seems more akin to "renewal" described in the README here, since the old key is not deleted) is not supported for asymmetric CMKs and that rotation has to be done "manually" - which amounts to creating a new CMK. This logic seems like it would be best handled by the sealed secrets operator.
Separately, on general integration direction - I saw one comment by @mkmik to the effect that direct integration should be avoided in favor of a more general plugin system. However there's another comment implying that current KMS PR of using interfaces is (possibly?) acceptable albeit not sufficiently abstracted. @mkmik can you advise on what direction you see being best here?
from sealed-secrets.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
from sealed-secrets.
I found this: https://github.com/EladLeev/kubeseal-convert#aws-secrets-manager
from sealed-secrets.
Related Issues (20)
- Sealed secret is not working when you have the kubernetes secret parse the data using the stringData using the yml file HOT 3
- Incorrect selector matchLabels on Helm chart ServiceMonitor HOT 1
- Correct way to validate the kubeseal tarball with Ansible HOT 4
- (question) sealed-secrets ingress, what use is it? HOT 2
- Immutable secrets are still not supported HOT 2
- Using sealed-secrets without controller/operator HOT 3
- About 0.25.0 release HOT 2
- Offline validation using signatures HOT 6
- Template `data` field treated as `stringData`, `stringData` ignored HOT 4
- Kubeseal not working on EKS IPv6 CLuster HOT 8
- kubeseal does not respond HOT 7
- Document system:authenticated group usage in GKE HOT 3
- Kubeseal is not able to fetch certificate HOT 1
- Kubeseal --re-encrypt with local certificates HOT 1
- Activate the golangci-lint gosec linter in the project configuration HOT 1
- Program managed sealed secret in GitOps environment (using ArgoCD)
- [Helm] Netpol & Servicemonitor enabled - not able to scrape metrics HOT 1
- lastTransitionTime/lastUpdateTime under status->conditions not updated when updating a SealedSecret
- kubeseal is ignoring NO_PROXY variables upon request for cert.pem (403) HOT 4
- Unseal with --raw HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sealed-secrets.