Skip to content
/ kinko Public

A Kubernetes controller and tool for sealing/unsealing Secrets with the help of KMS providers.

12 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rueian/kinko

BranchesTags

Repository files navigation

Kinko for kubernetes

Kinko is a Kubernetes CRD controller that does the same thing as the bitnami-labs/sealed-secrets, but kinko is much easier to maintain with the help of the external KMS provider.

Comparison to the bitnami-labs/sealed-secrets

The Same:

  • kinko CLI to create sealed CRDs that can be saved into a VCS.
  • kinko CRD controller that unseals the sealed CRDs into normal k8s secrets.

The Different, Why kinko is easier to maintain:

  • There is no RSA key pair maintained by kinko. Instead, the Data Encryption Key (DEK) is encrypted by the external KMS provider.
  • The kinko CRD controller should have the decryption permission on the external KMS provider to decrypt the DEK.
  • Anyone having the decryption permission can decrypt the DEK as well. It is not forced that the CRD controller be the only one who can unseal the secret.
  • Currently, only support Google Cloud KMS.

Permission Advisory

For GKE users:

  • The kinko-controller-manager should get the cloudkms.cryptoKeyVersions.useToDecrypt role permission through the Workload Identity.
  • Only grant cloudkms.cryptoKeyVersions.useToDecrypt, container.secrets.get and container.pods.exec permissions to privileged GCP users.

About

A Kubernetes controller and tool for sealing/unsealing Secrets with the help of KMS providers.

Topics

kubernetes kubernetes-secrets encrypt-secrets gitops kubernetes-operators

Resources

Readme
Activity

Stars

12 stars

Watchers

4 watching

Forks

4 forks
Report repository

Releases 9

v0.0.12 Latest
Apr 19, 2024
+ 8 releases

Packages

No packages published

Contributors 5

Languages