Remove or deny access to kube-system/cloud-config secret

[steled]

Hi,

after the deployment of an user cluster we found out that our DC credentials are available in the kube-system namespace cloud-config secret.

For example:

kubectl get secrets -n kube-system cloud-config

Unfortunately in this secret are the needed credentials for the provider stored.
Is it possible to remove this secret or can we deny the access to this secret so that the user of the cluster are not able to see the credentials?

[embik]

Hi @steled,

Given that cluster owners have "cluster admin" / "root" permissions on the user cluster, it's not possible to deny them access. Cloud provider credentials are necessary for some functionality located within the cluster (e.g. CSI drivers), that's the reason the secret exists.

We are aware that users prefer not to expose credentials to cluster owners and are working on removing dependencies on it, so we can eliminate it eventually. One of the major changes necessary for that is #11985.

[steled]

Hi @embik,

is it possible that this can be handled with kubermatic/kubeone#2750

[embik]

Hi @steled, that is a KubeOne issue, so its solution will not apply to KKP. There is #12008 on the KKP side and it could be possible that the cloud-config secret would not be needed in that situation and could be omitted. But that remains up for question, I haven't looked into it.

[steled]

Oh, damn I mixed it up.. Sorry for that 😅

[steled]

Hi @embik,

thanks for the reply.
Is it possible to have an integration with for example Hashicorp Vault were the secret is injected from or something similar?

[embik]

I'm not sure Vault integration within the user cluster would help much with your concerns, given that cluster admins could extract the credentials to access Vault to then access cloud provider credentials. But ignoring that, it's not supported currently.

[steled]

Yeah, makes sense... didn't thought about that too much 😄