vault-secrets-webhook
vault-secrets-webhook copied to clipboard
Option to remove vault-env binary after startup
Preflight Checklist
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I agree to follow the Code of Conduct.
Problem Description
We use vault secret webhooks in our k8s cluster and its great that we're able to invoke secrets using env_vars without having to define secret resources. The challenge that we're facing is that users with exec access to the pod itself can execute the vault-env binary and replay the secrets. Has anyone thought about removing access to the vault-env binary and if so, would love to hear how you resolved it. Would be nice to have some kind of implementation where we can invoke an annotation where access to vault-env binary is restricted. Thoughts?
Proposed Solution
Unsure at this time but maybe some kind of annotation to prevent from replaying the secrets?
Alternatives Considered
No response
Additional Information
No response