You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/configuration/secret.md
+9-8Lines changed: 9 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,11 +36,12 @@ Additionally, anyone who is authorized to create a Pod in a namespace can use th
36
36
In order to safely use Secrets, take at least the following steps:
37
37
38
38
1.[Enable Encryption at Rest](/docs/tasks/administer-cluster/encrypt-data/) for Secrets.
39
-
1.[Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) that
40
-
restrict reading and writing the Secret. Be aware that secrets can be obtained
41
-
implicitly by anyone with the permission to create a Pod.
42
-
1. Where appropriate, also use mechanisms such as RBAC to limit which principals are allowed
43
-
to create new Secrets or replace existing ones.
39
+
1.[Enable or configure RBAC rules](/docs/reference/access-authn-authz/authorization/) with least-privilege access to Secrets.
40
+
1. Restrict Secret access to specific containers.
41
+
1.[Consider using external Secret store providers](https://secrets-store-csi-driver.sigs.k8s.io/concepts.html#provider-for-the-secrets-store-csi-driver).
42
+
43
+
For more guidelines to manage and improve the security of your Secrets, refer to
44
+
[Good practices for Kubernetes Secrets](/docs/concepts/security/secrets-good-practices).
44
45
45
46
{{< /caution >}}
46
47
@@ -174,7 +175,7 @@ systems on your behalf.
174
175
175
176
Secret volume sources are validated to ensure that the specified object
176
177
reference actually points to an object of type Secret. Therefore, a Secret
177
-
needs to be created before any Pods that depend on it.
178
+
needs to be created before any Pods that depend on it.
178
179
179
180
If the Secret cannot be fetched (perhaps because it does not exist, or
180
181
due to a temporary lack of connection to the API server) the kubelet
@@ -324,7 +325,7 @@ secret volume mount have permission `0400`.
324
325
{{< note >}}
325
326
If you're defining a Pod or a Pod template using JSON, beware that the JSON
326
327
specification doesn't support octal notation. You can use the decimal value
327
-
for the `defaultMode` (for example, 0400 in octal is 256 in decimal) instead.
328
+
for the `defaultMode` (for example, 0400 in octal is 256 in decimal) instead.
328
329
If you're writing YAML, you can write the `defaultMode` in octal.
329
330
{{< /note >}}
330
331
@@ -931,7 +932,7 @@ data:
931
932
After creating the Secret, wait for Kubernetes to populate the `token` key in the `data` field.
932
933
933
934
See the [ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/)
934
-
documentation for more information on how service accounts work.
935
+
documentation for more information on how service accounts work.
935
936
You can also check the `automountServiceAccountToken` field and the
0 commit comments