Kubectl Whisper Secrets: Create Kubernetes Secrets With Secure Input
Krew plugin to create Kubernetes secrets securely
This blog post focuses on a plugin that allows end user to "Create Kubernetes secrets by taking secure input from the console".
The in-line secret creation feature in Kubernetes is vulnerable to shoulder surfing attacks. In this blog, we will
- Glance through the features to create Kubernetes secrets
- Analyze the risks with default approach
- Get introduced to the plugin that fixes this problem
Github link of the plugin: rewanthtammana/kubectl-whisper-secret
Introduction to Kubernetes
Kubernetes is an open-source container orchestration system for automating application deployment, scaling, and management. kubectl provides a CLI interface to manage Kubernetes clusters. Kubectl enables the users to run different operations like describe, edit, exec, explain, logs, run, etc on Kubernetes clusters.
Kubernetes secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.
Kubectl CLI
The kubectl CLI has an extended feature called kubectl plugins - this advanced feature allows the users to develop plugins to customize kubectl functionality. I leverage this feature & built this plugin to solve the inception problem.
Default approach
We have different ways to create Kubernetes secrets. Input can be provided via
- CLI,
--from-literal
- File,
--from-file
- Env files,
--from-env-file
We are more interested in the --from-literal
feature because it's more subjected to attack. Below are a couple of examples.
Creating a generic secret
kubectl create secret generic my-secret --from-literal key1=value1 --from-literal key2=value2
Creating docker registry secrets
kubectl create secret docker-registry my-docker-secret --docker-password s3cur3D0ck3rP@ssw0rD --docker-username root
In both the above examples, the secret value is exposed via shoulder surfing attacks. This will lead to password leakage & authentication bypasses.
Proposed approach
I leveraged the kubectl plugins feature & built a plugin to demonstrate an alternative solution & approach to this problem.
Instead of taking sensitive input through terminal, with the help of this plugin, you will be able to provide sensitive input.
kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2
Enter value for key1:
Enter value for key2:
secret/my-secret created
Bonus
kubectl whisper-secret
is now integrated with krew, a kubectl plugin manager. This plugin integration works on all platforms. So, this plugin can be installed directly with krew. It’s as simple as,
kubectl krew install whisper-secret