Kubectl Whisper Secrets: Create Kubernetes Secrets With Secure Input
Krew plugin to create Kubernetes secrets securely
Rewanth Tammana is a security ninja, open-source contributor, and a full-time freelancer. Previously, Senior Security Architect at Emirates NBD (National Bank of Dubai). He is passionate about DevSecOps, Cloud, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc.
Rewanth speaks and delivers training at international security conferences worldwide including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others.
He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.
This blog post focuses on a plugin that allows end user to "Create Kubernetes secrets by taking secure input from the console".
The in-line secret creation feature in Kubernetes is vulnerable to shoulder surfing attacks. In this blog, we will
- Glance through the features to create Kubernetes secrets
- Analyze the risks with default approach
- Get introduced to the plugin that fixes this problem
Github link of the plugin: rewanthtammana/kubectl-whisper-secret
Introduction to Kubernetes
Kubernetes is an open-source container orchestration system for automating application deployment, scaling, and management. kubectl provides a CLI interface to manage Kubernetes clusters. Kubectl enables the users to run different operations like describe, edit, exec, explain, logs, run, etc on Kubernetes clusters.
Kubernetes secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.
Kubectl CLI
The kubectl CLI has an extended feature called kubectl plugins - this advanced feature allows the users to develop plugins to customize kubectl functionality. I leverage this feature & built this plugin to solve the inception problem.
Default approach
We have different ways to create Kubernetes secrets. Input can be provided via
- CLI,
--from-literal - File,
--from-file - Env files,
--from-env-file
We are more interested in the --from-literal feature because it's more subjected to attack. Below are a couple of examples.
Creating a generic secret
kubectl create secret generic my-secret --from-literal key1=value1 --from-literal key2=value2
Creating docker registry secrets
kubectl create secret docker-registry my-docker-secret --docker-password s3cur3D0ck3rP@ssw0rD --docker-username root
In both the above examples, the secret value is exposed via shoulder surfing attacks. This will lead to password leakage & authentication bypasses.
Proposed approach
I leveraged the kubectl plugins feature & built a plugin to demonstrate an alternative solution & approach to this problem.
Instead of taking sensitive input through terminal, with the help of this plugin, you will be able to provide sensitive input.
kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2
Enter value for key1:
Enter value for key2:
secret/my-secret created
Bonus
kubectl whisper-secret is now integrated with krew, a kubectl plugin manager. This plugin integration works on all platforms. So, this plugin can be installed directly with krew. It’s as simple as,
kubectl krew install whisper-secret
