Skip to content
/ k8s-hide-env Public

A Mutating Web Hook that removes environment variables from the container environment and exposes them only to the main process.

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fritzduchardt/k8s-hide-env

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
charts/k8s-hide-env
charts/k8s-hide-env
 
 
cmd/k8s-hide-env
cmd/k8s-hide-env
 
 
test
test
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

K8s Hide Env

K8s Hide Env removes environment variables from your container environment and makes them only visible to the container main process and its child processes.

By default, Kubernetes exposes environment variables in the container environment. This carries security risks, since it allows container hijackers to gain easy access to infrastructure credentials and increases the risk for credentials exposure through exec containers or lifecycle hooks.

How it works

K8s Hide Env installs a Mutating Web Hook in your K8s cluster, which in a nut-shell extracts your container environment variables from K8s manifests and adds them to K8s secrets. Furthermore, the webhook amends your containers'command and args statements to source the environment from those K8s secrets and exclusively expose them to the container main processes. Then, environment variables are deleted from the K8s manifests.

Limitations

  • Only works on Deployments, StatefulSets and Daemonsets.
  • All environment variables have to be written straight into the K8s manifests. Reading from Secrets or ConfigMaps is currently not supported.
  • ENTRYPOINT and / or CMD configuration of the application container image has to get overwritten in K8s manifest with the command and / or args element.
  • Environment values will still be visible from the container and host proc file system.

Installation

Installing Cert-Manager

K8s internal communication is mandated to use TLS. Therefore, Mutating Web Hook applications need to expose ports that accept TLS traffic. Also, the corresponding Mutating Web Hook Configuration needs to include the CA cert that was used to create the application certificates.

We use cert-manager for the certificate creation and renewal. We use a SelfSigned Issuer in order to create the application certificate and Cainjector to provide the CA certificate to the Mutating Web Hook Configuration.

Install Cert-Manager including CAInjector

make install_certmanager

Install K8s Hide Env including everything (Mutating Web Hook Configuration, Certificate Issuer, Certificate, Application, RBAC configuration)

We are using Helm in order to do the installation. The corresponding chart can be found under ./charts/k8s-hide-env.

make install_k8shideenv

Try it out

Now, install a Deployment to your cluster, e.g. the K8s Showcase App:

kubectl apply -f test/deploy.yaml

Note, that when looking at the container environment, the environment variable MESSAGE is not visible:

kubectl exec k8sshowcase-76cd657458-mg6xp env | grep MESSAGE
>

However, the app has an endpoint to expose environment variables and here MESSAGE can be seen:

# open connection to one of your Pods
kubectl port-forward k8sshowcase-76cd657458-fm8k5 8080
# curl env endpoint
curl localhost:8080/env/MESSAGE
> ICanSeeYou

Uninstall

The following commands will remove all traces of K8s-hide-env from your cluster:

make delete_k8shideenv_deployment

Feedback

Any ideas and / or feedback regarding this project is very welcome. Please write to fritz@duchardt.net.

About

A Mutating Web Hook that removes environment variables from the container environment and exposes them only to the main process.

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages