Skip to content

Cloud-Army-Secret-Injector read secrets from GCP Secret Manager and automatically injects the values as environment variables to the application subprocess.

License

Notifications You must be signed in to change notification settings

cloud-army/secret-mutator-admission-webhook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cloud-army-secret-admission-controller

This is a [Kubernetes admission controller] to be used as a mutating admission webhook to add a container-init with a custom binary that extract secrets from GCP Secret Manager and to push this secrets to the container entrypoint sub-process. This solution can be used to compliance with the CIS Kubernetes Benchmark v1.5.1 specially with the control id: 5.4.1 (no-secrets-as-env-vars).

Requirements

  • Google Kubernetes Engine (GKE) with Workload Identity enabled and binding between KSA and GSA (view K8S references).

NOTE: Make sure that the GSA have roles/secretmanager.secretAccessor IAM Role assigned.

  • Cert-manager controller should be installed on Kubernetes GKE (view K8S references)

  • Ensure you have the admission-webhook=enabled label in the namespace where you want to run your applications (*)

Installation:

Deploy Admission Webhook

To configure the cluster to use the admission webhook and to deploy said webhook, run the nexts installation steps:

helm repo add cloud-army https://cloud-army.github.io/helm-charts

helm install cloud-army-secret-injector cloud-army/cloud-army-secret-injector

🚨 IMPORTANT NOTE: Cert-manager controller should be installed in your cluster (view K8S references) 🚨

Then, make sure the admission webhook resources are correctly configured (in the mutator namespace):

NAME                                           READY   STATUS    RESTARTS   AGE
pod/carmy-kubernetes-webhook-87c777467-rkc9s   1/1     Running   0          35s
pod/carmy-kubernetes-webhook-87c777467-wqztv   1/1     Running   0          35s

NAME                               TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/carmy-kubernetes-webhook   ClusterIP   10.192.49.76   <none>        443/TCP   36s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/carmy-kubernetes-webhook   2/2     2            2           36s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/carmy-kubernetes-webhook-87c777467   2         2         2       36s

Usage:

Deploying pods

Build and Deploy a test pod that gets secrets from GCP Secret Manager and print its in the pod console.

ℹ️ (*) Remember that: The namespace where running the applications should be labeled with admission-webhook: enabled:

kubectl label namespaces [applications_namespace] admission-webhook=enabled

🚀 Building and Deploying a test pod...

kubectl apply -f manifests/pods-example/pod-example.yaml

pod/envserver created

apiVersion: apps/v1
kind: Deployment
metadata:
  name: envprinter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: envprinter
  template:
    metadata:
      labels:
        app: envprinter
    spec:
      containers:
      - name: envprinter
        image: # docker image of your application here
        imagePullPolicy: Always
        command: ["entrypoint.sh"] # Use entrypoint.sh command as a standard name

🚨 IMPORTANT NOTE: Only for test, you should create a docker image with a simple entrypoint that use printenv & sleep with time in seconds, a envsecrets-config.json file, and running the pods using Workload Identity🚨

About the envsecrets-config.json file, it is the place were declaring the GCP Secrets resources that you need consume, and it's his estructure is:

{
    "secrets":[
        {
            "env":"",
            "name":"projects/GCP_PROJECT_NUMBER/secrets/GCP_SECRET_NAME/versions/latest"
        }
    ],
    "config":
        {
            "convert_to_uppercase_var_names": true
        }
}

asciicast

For more information about the envsecrets-config.json file, check this repo https://github.com/cloud-army/envsecrets

Security Controls Compliance

CIS Google Kubernetes Engine (GKE) Benchmark v1.5.1 controls:

  • 5.4.1 Prefer using secrets as files over secrets as environment variables

NOTE: Handle secrets as environment variables inside a container is also a bad practice, this method enables to handle the secrets as a environment variable for ONLY the PID of the running application, wich is more secure for every runtime application.

  • 6.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity

Contributing:

Please see the contributing guidelines.

License:

This library is licensed under Apache 2.0. Full license text is available in LICENSE.

K8S references:

About

Cloud-Army-Secret-Injector read secrets from GCP Secret Manager and automatically injects the values as environment variables to the application subprocess.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published