This is a beta release to verify several fixes to the env-injector as described in issue #42. There were two main issues:
- The env-injector copied
azure.json(containing AKS Service Principal) to every Pod using secret injection and users couldexecinto the pod and view the file content. Deleting the file was not an option, since it would prevent the container from recovering from errors (Pod restarting container) as the file was needed to authenticate with AKV. - A user could
execinto a Pod and execute/azure-keyvault/azure-keyvault-env printenvand it would download and print out all injected secrets
The implemented solution:
- A auth endpoint, protected by a client certificate, is added to the env-injector webhook. The
azure-keyvault-envexecutable will call this endpoint (instead of using credentials fromazure.json), and get a oauth token to access AKV. This solution prevents the AKS Service Principal credentials to be revealed inside the Pod, but still using the same credentials. - To prevent arbitrary arguments to be passed to
/azure-keyvault/azure-keyvault-env(likeprintenv) the env-injector webhook creates a signature of the original arguments andazure-keyvault-envchecks that signature before executing. This prevents revealing secrets in plain text whenexecinto Pod.
Installation / Upgrade
To upgrade existing Helm chart, do:
helm repo update
and pass on --version 1.1.0-beta.1 to helm upgrade
See https://akv2k8s.io/installation for other details