Sealed Secret in Kubernetes

[drnow4u]

In the repository would be committed file containing Sealed Secret e.g.:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
  namespace: mynamespace
spec:
  encryptedData:
    foo: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq.....

Sealed Secret is asymmetrically encrypted and only the Sealed Secret Controller deployed in Kubernetes can decrypt it. Such decrypted secrets "unsealed" are stored as classic Kubernetes secret.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: mynamespace
data:
  foo: YmFy  # <- base64 encoded "bar"

@commjoen could you describe proposed on Slack attack vector?

[commjoen]

We would get into trouble if the private key is somehow compromised: either by specifying a backup key to use teh secret without the controler or by having the secret accessible due to an RBAC misconfiguration. However: i have not seen any of the 2 cases alive yet. @bendehaan : what should we do here?

[commjoen]

One of the challenges would still be: how can we implement this in ctf-party? should the controler live in a namespace everyone has access to?

[commjoen]

As agreed with @bendehaan :We can implement it for now using a controller with an exposed private key. Assigning this one to you @MarcinNowak-codes

[commjoen]

@bendehaan is this still something you want to pick up :) ?

[bendehaan]

@commjoen I can't recall I was assignee earlier, shouldn't it be @drnow4u?

[commjoen]

Anyone want to pick this one up :) ?

[Shubham-Patel07]

i want to work on this issue :-) @commjoen

[Shubham-Patel07]

@commjoen has some discussion already done on slack about this issue ??
i wanted some more details on this

[commjoen]

Yes. Please check with @bendehaan on Slack.

[commjoen]

@Shubham-Patel07 can you, before taking on this issue, first fix the other 2 outstanding PRs please?

[Shubham-Patel07]

I've fixed the outstanding issue now i wanted to give it a try !!