Hi guys, is there a possibility to inject a kubernetes secret into a deployment/pod using stdin with command?
scenario is to reduce the attack surface, where variables and files are exposed to other processes within the container. and it would be very interesting to do this built-in.
Kubernetes version: 1.27
I found a stdin parameter in the CRI and Kubernetes specifications that can be used, but I didn’t understand how, since it is a boolean.
- name: redis-container
command: ["kubectl get secret my-redis-secret", "|", "redis-server", "--requirepass-stdin"]
- containerPort: 6379
the “kubectl get secret my-redis-secret” command would be executed outside the container and passed via stdin to the container.
There’s no automatic way to do this but you could run
command: sh and `args: [ -c “something | something_else” ], I guess.
I’m not sure what that is defending against, though.
This way does not work, as it executes everything inside the container.
Once an environment/volume variable is exposed, in cases where the image is vulnerable, any other process that can access the container will be able to access them.
via stdin only the official process will receive this value, and it will not be possible to obtain it later.
And, if your container were to crash… Then what?