Comments (2)
asaintsever
commented on June 11, 2024
Hello,
Internally the feature depends on the secrets file so it is not possible to not "have the secrets file in the pods" but this is totally transparent, you even don't need to explicitly mount a volume.
Why is it an issue to you? Your process already has access to the secrets via the env vars, why would it be more secure to not have them in files? FYI, the secrets are mounted in a memory volume (not a persistent storage) that only containers in your pod can see and access to.
What I can do though is to delete those secrets files once env vars are initialized (just before your process is run). Will consider that improvement for next patch release.
from vault-sidecar-injector.
asaintsever
commented on June 11, 2024
After second thought, removing secrets file as I proposed is not a good idea from a resiliency standpoint. If your container restarts, those files will be required to reinject the secrets as env vars in your process.
I will close this ticket as internal implementation depends on those files and there's no security issue keeping them.
from vault-sidecar-injector.
Related Issues (11)
- Document requirement for configured certificates api HOT 2
- secrets-template with >1 templates that include range statement causes dest/template mismatch HOT 2
- Do not verify kubernetes apiserver cert HOT 2
- Using secrets in env variables HOT 4
- Grafana v7.3.1 does not work with the sidecar injector HOT 2
- Kubernetes authentication failing when using the samples HOT 2
- error installing the chart: error calling tpl: error during tpl function execution HOT 1
- Vault Sidecar Removes Annotations from Pod
- Security Policy violation SECURITY.md HOT 126
- Leverage new Vault 1.3 "Vault Agent Template" feature HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-sidecar-injector.