Getting started

SDS for Kubernetes init container allows Kubernetes administrators to manage Kubernetes secrets in their clusters using state-of-the-art security practices.

Without SDS for Kubernetes init container, a Kubernetes secret is stored unencrypted in the API server's data store (etcd), and can be retrieved by anyone with API access.

With SDS for Kubernetes init container, sensitive data stored in a Kubernetes secret is less exposed as it is only loaded into memory during the pod lifetime.

This solution is based on three technologies:

• SDS Key Management as a Service (KMaaS) with the crypto-api feature enabled
  Provides an API for encrypting/decrypting sensitive data using Data Encryption Keys (DEKs).

• Stormshield Software Development Kit (SDK)
  Provides higher-level and standardized methods to encrypt/decrypt:

  • SDSDK manages DEKs and calls the KMaaS so that the end user does not need to perform these actions,

  • Encrypted sensitive data is stored with metadata using a standardized format.

• Kubernetes init container
  An init container is a temporary container that runs before the main application container to perform various preliminary tasks. The SDS for Kubernetes init container solution uses init containers to:

  • Decrypt data using the SDSDK, which calls the KMaaS,

  • Save the decrypted data into an ephemeral Kubernetes volume in RAM, shared with the main application container. This ensures that the decrypted data is no longer accessible when the main application container is terminated.

SDS for Kubernetes init container provides a script, encryptor.cjs, to encrypt sensitive data.

NOTE
The use of the solution in any way other than as described in the documentation is not managed.
Alternatively, get in touch with Stormshield Support for clarification.