General Discussion: CSI Driver for Kubernetes and Azure Key Vault vs keeping Secrets in Memory

general discussion forum gives members an opportunity to discuss proposed policy ideas prior to submitting as a formal
Post Reply
admin
Site Admin
Posts: 36
Joined: Sun Aug 08, 2021 7:49 am

General Discussion: CSI Driver for Kubernetes and Azure Key Vault vs keeping Secrets in Memory

Post by admin »

as stated in the title I have a general question about securely retrieving secrets from Azure KeyVault.

Currently, most of my secrets are stored in Kubernetes Secrets. As Secrets are only base64 encoded it is possible for a malicious user or even admins to read the secret using tools like a lens.

To enhance the security of my application(s) I would like to use more secure storage like Azure KeyVault to hold my secrets, certificates, and alike.

Currently, I am thinking about two available versions

using CSI Driver
querying data from VK using a REST call on container start and keeping data only in memory (my favorite)
Somehow I do not trust the approach of using a CSI driver for the following reasons: If for any reason, some malicious user is able to connect to my container, he/she/it will be able to read the values from the "file" generated by the CSI driver.
This should be quite trivial to do so assuming one connects to the container. Although having a malicious package installed in my app bundle, it might be possible to read those data...

On the other hand, having secrets only in memory seems to be a bit more secure as the attacker must have the chance to read the memory (I hope there is something in place to prevent such actions), as well as one, has to know the exact memory location where to find the data.

Any advice, ideas, or clarification is highly appreciated.
Post Reply