This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
If I mount an AKS Secret using the 'secrets-store.csi.k8s.io' driver, is it better to mount it as a file or environment variable?
How do I prevent anyone using 'kubectl exec' to see the file / variable? Can I remove the environment variable after retrieving it using 'unset'? Or are there any other recommended method to secure the secret keys away from prying eyes?
Thanks in advance.
It's generally accepted that mounting as files is more secure that by environment variable.
For more information, see this SO post with some good discussion and references; https://stackoverflow.com/questions/51365355/kubernetes-secrets-volumes-vs-environment-variables
But a file can be exposed by compromised pods right?
in the event a hacker or even a bad actor within the company get access to the shell of the pod, anything that can be done to secure?
Since the files are mainly mounted as read-only, deleting them will not be possible. How about file ownership and permissions? Can they be set?
Once a hacker has entered your container interactively there's little that can be done to protect the secrets. They could list every environment variable and inspect files. Ensuring that you have taken all steps to secure access, and then using Kubernetes security tooling to detect and alert on anomalous behaviour would be my suggestion.
Thanks for info. Maybe I'll consider preventing interactive access, and store the secrets in Key Vault in encrypted format to reduce chances of revealing the passwords.
Again, thanks!
Make sure to evaluate KMS, but IMO CSI to Key Vault is fine 😊
https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption