Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Clarification regarding secret visibility in container #816

Open
Moortiii opened this issue Feb 28, 2025 · 0 comments
Open

[Question] Clarification regarding secret visibility in container #816

Moortiii opened this issue Feb 28, 2025 · 0 comments
Labels
question Further information is requested

Comments

@Moortiii
Copy link

Moortiii commented Feb 28, 2025
edited
Loading

Question

The FAQ section states the following:

Can I prevent env-injected secrets from being listed in /proc/[pid]/environ inside the container?

Yes. Follow Docker Container best-practices and don't run your container as root: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

I've created an image that runs its workloads as a non-root user with little to no privileges, as recommended by Docker.

However, using the command cat /proc/1/environ | xargs -0 -L1 | sort, I am still able to read the injected secrets from the environment.

Am I doing something wrong, or does the FAQ need to be updated?

Steps to reproduce

  1. Create a file named manifests.yaml with the following contents to create a minimally reproducible example:
---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    azure-key-vault-env-injection: enabled
  name: example-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-deployment
  namespace: example-app
  labels:
    app: example-deployment
spec:
  selector:
    matchLabels:
      app: example-deployment
  template:
    metadata:
      labels:
        app: example-deployment
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 2000
      containers:
      - name: example-deployment
        image: python:3.12
        securityContext:
          allowPrivilegeEscalation: false
        command: ["sleep", "10000"]
        env:
          - name: EXAMPLE_SECRET
            value: example-secret@azurekeyvault
---
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  namespace: example-app
  name: example-secret
spec:
  vault:
    name: example-vault
    object:
      name: example-secret
      type: secret

This assumes that you have a key vault named example-vault with a secret named example-secret. It also assumes that the Managed Identity running in the cluster has read access to secrets in your key vault.

  1. Apply your manifests using kubectl apply -f manifests.yaml
  2. Get a shell on your pod, e.g. using k9s.
  3. Run the command cat /proc/1/environ | xargs -0 -L1 | sort | grep -i "example_secret"

Expected output:

I have no name!@example-deployment-6bc6b4d5dc-xpkwh:/$ cat /proc/1/environ | xargs -0 -L1 | sort | grep -i "example_secret"
EXAMPLE_SECRET=example-secret@azurekeyvault

Actual output:

I have no name!@example-deployment-6bc6b4d5dc-xpkwh:/$ cat /proc/1/environ | xargs -0 -L1 | sort | grep -i "example_secret"
EXAMPLE_SECRET=this-is-a-secret
@Moortiii Moortiii added the question Further information is requested label Feb 28, 2025
@Moortiii Moortiii changed the title [Question] Clarification regarding secret visiblity in container [Question] Clarification regarding secret visibility in container Feb 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Moortiii