yakd icon indicating copy to clipboard operation
yakd copied to clipboard

Published 20 hours ago verified publisher icon manusa

Disable Kubernetes Secret that are visible from console

Open utsavv27 opened this issue 9 months ago • 4 comments

when I pressed F12 and saw the console of k8s secrets, I could see all the secrets of my cluster. Sample of k8s-secret configuration I used,

apiVersion: v1
kind: Secret
metadata:
  name: test
  namespace: test
stringData:
  NEXTAUTH_SECRET: "testing dashboard secret"

Image

@manusa

utsavv27 avatar Feb 24 '25 05:02 utsavv27

Hi @utsavv27 This is the normal/expected Kubernetes behavior. Note that if you click on the blurred secret it will become visible too (no need for developer tools console). Secretes in Kubernetes are just a semantic way to store config parameters that are intended to be secret (i.e. it's just a specialized ConfigMap). If you don't want to have the secrets exposed to anyone with API access you should consider using an external secret provider instead.

  • https://kubernetes.io/docs/concepts/configuration/secret/
  • https://kubernetes.io/docs/concepts/security/secrets-good-practices/

Caution:

Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. Additionally, anyone who is authorized to create a Pod in a namespace can use that access to read any Secret in that namespace; this includes indirect access such as the ability to create a Deployment.

manusa avatar Feb 26 '25 11:02 manusa

@manusa can we add any functionality to hide those secrets like we can see the secrets name not the value?

utsavv27 avatar Feb 26 '25 11:02 utsavv27

@manusa can we add any functionality to hide those secrets like we can see the secrets name not the value?

I guess we could, but note that you should really be hiding them from the API server itself by configuring a good RBAC (in case your users have other means of access to your cluster API server). I'll keep this issue open as the scope to implement such feature in the future.

manusa avatar Feb 26 '25 11:02 manusa

Is it possible to disable the console from opening in any browser? , I think this will solve our problem.

Ex: we can see the console in the development environment if it's localhost to 127.0.0.1 but if we are in prod like any other IP than this or any domain then the console would be disabled. @manusa

utsavv27 avatar Mar 27 '25 10:03 utsavv27