Kubernetes User Certificate

ID

kubernetes_cert

Severity

critical

Vendor

Kubernetes

Family

Other

Description

Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management.

This detector looks for the private key and client certificate.

Security

Any leakage of the client private key is critical. The client certificate, on the other hand, is public by definition.

Examples

The following example shows a hardcoded Kubernetes client key and certificate in a YAML script:

apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: Q0FEQVRB
      server: http://example.com
    name: cluster1

contexts:
  - context:
      cluster: cluster1
      user: user1
    name: context1
current-context: context1
kind: Config
preferences: {}
users:
  - name: user1
    user:
      client-certificate-data: VVNFUl9DQURBVEE=
      client-key-data: VVNFUl9DS0RBVEE=

Mitigation / Fix

  1. Remove the sensitive data from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

  1. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://kubernetes.io/docs/reference/access-authn-authz/authentication