secrets data can be decoded easily on OpenShift 3
Issue
- When we create secret,
oc describe secret
hide them as:
$ oc describe secret mysecret
...
Type: Opaque
Data
====
password: 11 bytes
username: 9 bytes
- However, when we try to
oc get secret -o yaml
, it shows the value and it just encoded by base64. So, it easily to decode the secret data:
$ oc get secret mysecret -o yaml |grep password
password: dmFsdWUtMg0KDQo=
$ echo "dmFsdWUtMg0KDQo=" |base64 -d
value-2
-
How can we encrypt it?
-
Our application security team wants to know if OpenShift stores the secrets encrypted at rest, or if not, if there are any ways we can implement that, whether it be through a third party product or through custom configuration.
-
How do I encrypt credentials for use in a container?
Environment
- OpenShift Container Platform
- 3.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.