vault-secrets-webhook icon indicating copy to clipboard operation
vault-secrets-webhook copied to clipboard

Published 20 hours ago verified publisher icon bank-vaults

Option to remove vault-env binary after startup

Open ronballesteros opened this issue 2 months ago • 0 comments

Preflight Checklist

  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • [X] I agree to follow the Code of Conduct.

Problem Description

We use vault secret webhooks in our k8s cluster and its great that we're able to invoke secrets using env_vars without having to define secret resources. The challenge that we're facing is that users with exec access to the pod itself can execute the vault-env binary and replay the secrets. Has anyone thought about removing access to the vault-env binary and if so, would love to hear how you resolved it. Would be nice to have some kind of implementation where we can invoke an annotation where access to vault-env binary is restricted. Thoughts?

Proposed Solution

Unsure at this time but maybe some kind of annotation to prevent from replaying the secrets?

Alternatives Considered

No response

Additional Information

No response

ronballesteros avatar Apr 22 '24 19:04 ronballesteros