-
|
The Kubernetes CRD storage option stores sensitive data (e.g. signing keys) unencrypted in etcd and Kubernetes distributions typically only offer the ability to encrypt Secrets using a user-managed KMS key (for example GKE application-layer secrets encryption). Although convenient, this seems like it would pose an issue for organisations that require sensitive data is stored using an encryption key that they manage and breaks the assumption that sensitive data is only stored in the Kubernetes API through Secret resources. Are there any arguments for why this storage option is as secure as using Kubernetes Secrets or is the advice that another storage option be used if a dex user wants to conform to this kind of organisational policy? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
It depends on your Kubernetes settings. It is possible to encrypt any kind of object. |
Beta Was this translation helpful? Give feedback.
-
|
@nabokihms yeah of course, but typically only Secrets are offered by managed distributions, which greatly limits where Dex can be run without external mitigations. I guess the answer here is no and that without these mitigations in place a different storage backend should be used. |
Beta Was this translation helpful? Give feedback.
-
|
Dex doesn't support any This rule works for every storage. In your case, if it is impossible to tune |
Beta Was this translation helpful? Give feedback.
@nabokihms yeah of course, but typically only Secrets are offered by managed distributions, which greatly limits where Dex can be run without external mitigations.
I guess the answer here is no and that without these mitigations in place a different storage backend should be used.