Deploy the driver and providers into the
kube-systemor a separate dedicated namespace.
The driver is installed as a
DaemonSetwith the ability mount kubelet
hostPathvolumes and view pod service account tokens. It should be treated as privileged and regular cluster users should not have permissions to deploy or modify the driver.
Do not grant regular cluster users permissions to modify
SecretProviderClassPodStatusCRD is used by the driver to keep track of mounted resources. Manually editing this resource could have unexpected consequences to the system health and in particular modifying
SecretProviderClassPodStatus/statusmay have security implications.
Secretsync if not needed.
If you do not intend to use the
Secretsyncing feature, do not install the RBAC permissions that allow the driver to access cluster
This can be done by setting
syncSecret.enabled = falsewhen installing with helm.
Enable KMS application wrapping if using
If you need to synchronise your external secrets to Kubernetes
Secrets consider configuring encryption of data at rest
This will ensure that data is encrypted before it is stored in
Keep the driver up to date.
Subscribe to the
kubernetes-secrets-store-csi-drivermailing list to be notified of new releases and security announcements.
Consider using the Github Watch feature to subscribe to releases as well.
Always be sure to review the release notes before upgrading.
When evaluating this driver consider the following threats:
- When a secret is accessible on the filesystem, application vulnerabilities like directory traversal attacks can become higher severity as the attacker may gain the ability read the secret material.
- When a secret is consumed through environment variables, misconfigurations such as enabling a debug endpoints or including dependencies that log process environment details may leak secrets.
- When syncing secret material to Kubernetes Secrets, consider whether the access controls on that data store are sufficiently narrow in scope. If possible, directly integrating with a purpose built secrets API may offer the best security tradeoffs.