Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?
Your application is running as a container in a Google Kubernetes Engine cluster. You need to add a secret to your application using a secure approach. What should you do?
Storing credentials in Secret Manager and using Workload Identity to map a Kubernetes Service Account to a Google Service Account provides a more secure approach than using Kubernetes Secrets directly. Kubernetes Secrets are merely base64 encoded, not encrypted, which leaves them vulnerable if someone gains access to the cluster. By using Secret Manager, the secrets are securely stored, and Workload Identity ensures that only authorized workloads can access these secrets.
A is not correct because a Kubernetes Secret only encodes the string, and anyone who can read the secret will be able to decode it.
Using D would also be a secure approach. Option D uses a combination of Google Secret Manager, Google Service Account, and Workload Identity to store and retrieve secrets securely. The Workload Identity enables the Kubernetes Service Account to act as the Google Service Account, which has the required permissions to read the secrets from Secret Manager. Both options A and D are secure ways to store and retrieve secrets in a Kubernetes cluster, but option A is simpler and requires fewer steps. It may be more appropriate for smaller or less complex environments, while option D provides more advanced security and management features and is more suitable for larger and more complex environments.
It is the D option https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity https://cloud.google.com/secret-manager/docs/overview
A is not correct because a Kubernetes Secret only encodes the string, and anyone who can read the secret will be able to decode it.
A is not correct because a Kubernetes Secret only encodes the string, and anyone who can read the secret will be able to decode it.
D is best answer: You should not store secrets in k8s secrets: https://kubernetes.io/docs/concepts/configuration/secret/ They are for environment variables.
https://kubernetes.io/docs/concepts/configuration/secret/
Secrets can be mounted as data volumes or exposed as environment variables to be used by a container in a Pod. Secrets can also be used by ... https://cloud.google.com/secret-manager/docs/best-practices https://kubernetes.io/docs/concepts/security/secrets-good-practices/
What I have seen till now and done till now is option A. So I go with option A. What is the best secure approach between A and D, I am not sure. So, very doubtfully I go with A.
D is correct.
Alternative D is correct. Problem I see with alternative A is that storing secrets in Kubernetes Secrets in plain text format is not aligned with best practices, as such secrets are base64 encoded but not encrypted at rest. If a malicious agent gains access to the cluster, secrets can be easily decodes and captured.
simple is the best