# Kubectl Whisper Secrets: Create Kubernetes Secrets With Secure Input


This blog post focuses on a plugin that allows end user to "Create Kubernetes secrets by taking secure input from the console".

The in-line secret creation feature in Kubernetes is vulnerable to shoulder surfing attacks. In this blog, we will

* Glance through the features to create Kubernetes secrets
* Analyze the risks with default approach
* Get introduced to the plugin that fixes this problem

**Github link of the plugin:** [rewanthtammana/kubectl-whisper-secret](https://github.com/rewanthtammana/kubectl-whisper-secret)

### Introduction to Kubernetes

> Kubernetes is an open-source container orchestration system for automating application deployment, scaling, and management. kubectl provides a CLI interface to manage Kubernetes clusters. Kubectl enables the users to run different operations like describe, edit, exec, explain, logs, run, etc on Kubernetes clusters.

> Kubernetes secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in a container image. Using a Secret means that you don't need to include confidential data in your application code.

### Kubectl CLI

> The kubectl CLI has an extended feature called kubectl plugins - this advanced feature allows the users to develop plugins to customize kubectl functionality. I leverage this feature & built this plugin to solve the inception problem.

### Default approach

We have different ways to create [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/). Input can be provided via

1. CLI, `--from-literal`
1. File, `--from-file`
1. Env files, `--from-env-file`

We are more interested in the `--from-literal` feature because it's more subjected to attack. Below are a couple of examples.

#### Creating a generic secret

```bash
kubectl create secret generic my-secret --from-literal key1=value1 --from-literal key2=value2
```
#### Creating docker registry secrets

```bash
kubectl create secret docker-registry my-docker-secret --docker-password s3cur3D0ck3rP@ssw0rD --docker-username root
```

In both the above examples, the secret value is exposed via <a href="https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)">shoulder surfing attacks</a>. This will lead to password leakage & authentication bypasses.

### Proposed approach

I leveraged the *kubectl plugins* feature & built a plugin to demonstrate an alternative solution & approach to this problem.

Instead of taking sensitive input through terminal, with the help of this plugin, you will be able to provide sensitive input.

```bash
kubectl whisper-secret generic my-secret --from-literal key1 --from-literal key2
Enter value for key1: 
Enter value for key2: 
secret/my-secret created
```


![rewanthtammana-kubectl-whisper-secret-proposed-approach.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1634403642792/6kq8O8A3N.png)

### Bonus

`kubectl whisper-secret` is now integrated with [krew](https://github.com/kubernetes-sigs/krew), a kubectl plugin manager. This plugin integration works on all platforms. So, this plugin can be installed directly with krew. It’s as simple as,

```bash
kubectl krew install whisper-secret
```

### References

* [What is shoulder surfing?](https://discover.hubpages.com/technology/What-Is-Shoulder-Surfing)
* [Kubectl whisper secret](https://github.com/rewanthtammana/kubectl-whisper-secret)
