Kubectl Whisper Secrets: Create Kubernetes Secrets With Secure Input

Kubectl Whisper Secrets: Create Kubernetes Secrets With Secure Input

Krew plugin to create Kubernetes secrets securely

This blog post focuses on a plugin that allows end user to "Create Kubernetes secrets by taking secure input from the console".

The in-line secret creation feature in Kubernetes is vulnerable to shoulder surfing attacks. In this blog, we will

  • Glance through the features to create Kubernetes secrets
  • Analyze the risks with default approach
  • Get introduced to the plugin that fixes this problem

Github link of the plugin: rewanthtammana/kubectl-whisper-secret

Introduction to Kubernetes

Kubernetes is an open-source container orchestration system for automating application deployment, scaling, and management. kubectl provides a CLI interface to manage Kubernetes clusters. Kubectl enables the users to run different operations like describe, edit, exec, explain, logs, run, etc on Kubernetes clusters.

Kubernetes secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.

Kubectl CLI

The kubectl CLI has an extended feature called kubectl plugins - this advanced feature allows the users to develop plugins to customize kubectl functionality. I leverage this feature & built this plugin to solve the inception problem.

Default approach

We have different ways to create Kubernetes secrets. Input can be provided via

  1. CLI, --from-literal
  2. File, --from-file
  3. Env files, --from-env-file

We are more interested in the --from-literal feature because it's more subjected to attack. Below are a couple of examples.

Creating a generic secret

kubectl create secret generic my-secret --from-literal key1=value1 --from-literal key2=value2

Creating docker registry secrets

kubectl create secret docker-registry my-docker-secret --docker-password s3cur3D0ck3rP@ssw0rD --docker-username root

In both the above examples, the secret value is exposed via shoulder surfing attacks. This will lead to password leakage & authentication bypasses.

Proposed approach

I leveraged the kubectl plugins feature & built a plugin to demonstrate an alternative solution & approach to this problem.

Instead of taking sensitive input through terminal, with the help of this plugin, you will be able to provide sensitive input.

kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2
Enter value for key1: 
Enter value for key2: 
secret/my-secret created



kubectl whisper-secret is now integrated with krew, a kubectl plugin manager. This plugin integration works on all platforms. So, this plugin can be installed directly with krew. It’s as simple as,

kubectl krew install whisper-secret