mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-02 16:29:21 +00:00
Daniel Smith
commit
6a9ba0cf36
@ -318,7 +318,7 @@ Pod level](#use-case-two-containers).
|
|||||||
### Risks
|
### Risks
|
||||||
|
|
||||||
- Applications still need to protect the value of secret after reading it from the volume,
|
- Applications still need to protect the value of secret after reading it from the volume,
|
||||||
such not accidentally logging it or transmitting it to an untrusted party.
|
such as not accidentally logging it or transmitting it to an untrusted party.
|
||||||
- A user who can create a pod that uses a secret can also see the value of that secret. Even
|
- A user who can create a pod that uses a secret can also see the value of that secret. Even
|
||||||
if apiserver policy does not allow that user to read the secret object, the user could
|
if apiserver policy does not allow that user to read the secret object, the user could
|
||||||
run a pod which exposes the secret.
|
run a pod which exposes the secret.
|
||||||
@ -330,4 +330,3 @@ Pod level](#use-case-two-containers).
|
|||||||
by impersonating the kubelet. It is a planned feature to only send secrets to
|
by impersonating the kubelet. It is a planned feature to only send secrets to
|
||||||
nodes that actually require them, to restrict the impact of a root exploit on a
|
nodes that actually require them, to restrict the impact of a root exploit on a
|
||||||
single node.
|
single node.
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user