Replies: 1 comment 2 replies
-
|
Decouple container image and secrets, use Kubernetes Secrets to attach secrets to the container. |
Beta Was this translation helpful? Give feedback.
-
|
sorry, maybe i didnt properly conveyed the idea, or didnt understand your answer :)
|
Beta Was this translation helpful? Give feedback.
-
|
I don't know about any such solution immediately available, and as k8s is a multi-tenant environment, so doesn't sound like a great plan. My suggestion is to stop storing secrets in the container image, and instead use Kubernetes Secrets and mount them to the container to provide secret data. Nobody stores database passwords in the container image, but rather uses Kubernetes Secrets and mounts them into the pod. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi guys,
Maybe it is a bit "off topic", but still i would like to ask and hear your thought and maybe find a solution.
Lets say i have a container image on my laptop, and that image has some important and very secret data in it.
now, i need to deploy that container on my talos cluster at some datacenter,etc..
the thing is, if i push that container to remote registry, i only can hope that nobody can actually break that registry and get access to container image with secrets held within.
i was thinking about some kind of solution to basicly send encrypted container with skopeo (for example: check this blogpost)
but here the fun end.
Talos cluster (or any other k8s cluster for that matter) must have a way to pull and decrypt that image in order to use it.
and here i am a bit lost.
i was thinking about "imgcrypt" (https://github.com/containerd/imgcrypt), which uses CRI under the good to decrypt images using Certificates (located on worker node), but it seems to me that doesnt doesnt support that out-of-the-box..
any ideas, comments, suggestions are mostly welcome indeed.
🙏
Beta Was this translation helpful? Give feedback.
All reactions