README
¶
KSP - Kubernetes Secret Proxy
KSP does annotation based secret data injection and decryption. It runs locally and acts as proxy to your kubernetes api server. This means it integrates seamless with kubectl and should be secure by default.
Table of Contents
Installation
Setup
ksp --help
Injectors
Injectors modify secrets passed to them based on annotations.
They use following interface:
type Injector interface {
Inject(*corev1.Secret) (*corev1.Secret, error)
}
GPG
The GPG injector decrypts all data fields of the secret using the local gpg installation.
Annotations
ksp/inject: gpg
Notes
- You can use
ksp gpg encrypt --helpto encrypt basic JSON files. - You can encrypt the secret data with multiple public keys. That way it is possible to have a seperate keys for CI/CD or other developers.
Rationale
Following API endpoints are of interest:
POST/api/v1/namespaces/{namespace}/secretsPATCH/apis/v1/namespaces/{namespace}/secrets/{name}
POST
This endpoint performs secret creation and is straight forward to proxy:
- Read secret from request body
- Plug secret into injector of choice
- Rewrite request body with new secret
- Forward request to kubernetes api server
PATCH
This endpoint performs secret modification and not that easy to proxy.
If the secret you want to apply already exists kubectl pulls it and locally computes a diff between the local and cluster state. Since the local state will not contain any secret data (because KSP is adding it) the resulting diff will be incorrect. Following steps work around this:
- Read patch from request body
- Retrieve cluster state of the secret
- Compute local state by applying the patch to the cluster secret
- Plug resulting secret into injector of choice
- Compute new patch from injected secret and cluster state
- Rewrite request body with new patch
- Forward request to kubernetes api server
Documentation
¶
There is no documentation for this package.
Source Files
Directories