secrets data can be decoded easily on OpenShift 3

Solution Verified - Updated -

Issue

  • When we create secret, oc describe secret hide them as:
$ oc describe secret mysecret
...
Type:   Opaque

Data
====
password:   11 bytes
username:   9 bytes
  • However, when we try to oc get secret -o yaml, it shows the value and it just encoded by base64. So, it easily to decode the secret data:
$ oc get secret mysecret -o yaml |grep password
  password: dmFsdWUtMg0KDQo=

$ echo "dmFsdWUtMg0KDQo=" |base64 -d
value-2
  • How can we encrypt it?

  • Our application security team wants to know if OpenShift stores the secrets encrypted at rest, or if not, if there are any ways we can implement that, whether it be through a third party product or through custom configuration.

  • How do I encrypt credentials for use in a container?

Environment

  • OpenShift Container Platform
    • 3.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In