Vault token should not be passed as a command line argument

[stephan2012]

When using a Vault token for authentication, passing it as a command-line option is usually considered insecure because the process list discloses it. Instead, the plugin should consume it as an environment variable or from a file.

[FalcoSuessgott]

This is already possible (ref.: https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/#cli-args-environment-variables).

Example:

apiVersion: v1
kind: Pod
metadata:
  name: vault-kubernetes-kms
  namespace: kube-system
spec:
  priorityClassName: system-node-critical
  hostNetwork: true
  containers:
    - name: vault-kubernetes-kms
      image: localhost:5000/vault-kubernetes-kms:latest
      imagePullPolicy: IfNotPresent
      # command:
      #   - /vault-kubernetes-kms
      #   - --vault-address=http://172.17.0.1:8200
      #   - --socket=unix:///opt/kms/vaultkms.socket
      #   - --vault-token=root
      env:
        - name: VAULT_KMS_VAULT_TOKEN
          value: root
        - name: VAULT_KMS_VAULT_ADDR
          value: http://172.17.0.1:8200
        - name: VAULT_KMS_SOCKET
          value: unix:///opt/kms/vaultkms.socket
      volumeMounts:
        # mount /opt/kms host directory
        - name: kms
          mountPath: /opt/kms
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          cpu: "2"
          memory: 1Gi
  volumes:
    # mount /opt/kms host directory
    - name: kms
      hostPath:
        path: /opt/kms

[stephan2012]

Oops, I missed that. Thanks for the pointer, which resolves my issue. 🙂