speckle-server icon indicating copy to clipboard operation
speckle-server copied to clipboard

Published 20 hours ago verified publisher icon specklesystems

Helm: secrets should be in separate secret resources and serviceaccounts

Open iainsproat opened this issue 2 years ago • 0 comments

What package are you referring to?

Helm Chart

Is your feature request related to a problem? Please describe.

Service Accounts, implemented as part of https://github.com/specklesystems/speckle-server/issues/859, restrict the secrets that a pod can mount. This enhances security by preventing a pod from mounting secrets that it should not have access to.

At present, all secrets are contained as different keys within the same k8s secret resource. This means that a pod that only requires access to redis, for example, is given permission to mount the secret and therefore has implicit access to all other resources (email, postgres, s3 etc. etc.).

Describe the solution you'd like

Each secret key is split into a separate secret resource. Access to these secret resources are restricted by serviceaccounts, using the secrets property.

Describe alternatives you've considered

Additional context

Related issues or community discussions

https://github.com/specklesystems/speckle-server/issues/859

iainsproat avatar Aug 12 '22 18:08 iainsproat