Challenge 33 ☆☆

Welcome to challenge 33. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Kubernetes StringData or Data?

Kubernetes has 2 types of fields for data in a secret. The StringData contains the plaintext data, while the Data contains the base64 encoded value. So what if you want to swap the StringData value to a Data value in order to secure it further? You don’t have to, as long as you have set up RBAC correctly. After all: both values should not be visible when a secret is listed or described. But what if you move from standard to sealed secrets but don’t migrate all of them? Then it might be good to know that the metadata might contain the actual value of the StringData. Can you find the secret?

Answer to solution :

Why you should be careful with migrating secrets

When you update a Kubernetes secret and migrate to another format, the original data is part of the metadata captured in the original configuration. Migration of secrets to "something else" should also include a rotation step to ensure the older (less well-protected) value is now useless.