Use kubernetes secrets for passing sensitive environment variables to pods
See original GitHub issueUpdate by @consideRatio
The environment variable should in order to follow common k8s security practices be mounted from a k8s Secret rather than set directly as a name/value pair in the k8s Pod resource manifest.
# like this...
spec:
containers:
- name: users-jupyter-server-container
env:
- name: JUPYTERHUB_API_TOKEN
valueFrom:
secretKeyRef:
name: user1-jupyterhub-api-token
key: JUPYTERHUB_API_TOKEN
# instead of liket his
spec:
containers:
- name: users-jupyter-server-container
env:
- name: JUPYTERHUB_API_TOKEN
value: secret-stuff
The difference is that if you do kubectl get pod -o yaml jupyter-user1
then you will see the secret-stuff
value if we mount it like we do now, but not if we reference a k8s Secret in order to mount the environment variable. But, for a user with ability to do kubectl get secret -o yaml user1-jupyterhub-api-token
then it doesn’t matter I think.
Original issue text
Issue Analytics
- State:
- Created 3 years ago
- Reactions:9
- Comments:9 (3 by maintainers)
Top Results From Across the Web
Secrets | Kubernetes
Using a Secret. Secrets can be mounted as data volumes or exposed as environment variables to be used by a container in a...
Read more >How to Use Kubernetes Secrets with Environment Variables ...
Injecting a Secret as an environment variable makes the value available to everything inside the Pod. That can be useful in that multiple ......
Read more >Using Kubernetes Secrets as Environment Variables
When you create a Pod in kubernetes, you can set environment variables for the containers that run inside the Pod. To set environment...
Read more >How To Use Kubernetes Secrets for Storing Sensitive Config ...
We use the key apikey from Secret service-apikey and make sure its value is available as an environment variable API_KEY inside the Pod...
Read more >Kubernetes Secrets | How To Create, Use, and Access
In this step, you will create a Pod that will expose the Secret values as environment variables in a container at runtime. Once...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I think tackling this will give us a chance to generally improve logic around “objects created to go with the pod”. Using consistent labels for any object created by kubespawner associated with a user pod should make it manageable to create and clean up everything without lifecycle concerns when e.g. gc is unavailable due to ordering.
This makes sense. The complexity here will be creating & cleaning up the secret objects with pod start / stop. We could explore doing this with kubernetes garbage collection, although since the secret would need to be created before the pod - not sure if that’ll work for that.
We already create PVCs before creating pods, I think we can extend that logic to secrets. While we’re there, we could possibly just put all env vars there instead of just ‘sensitive’ ones.
Happy to review any PRs 😃