JamesTran-MSFT
commented
3 years ago @markmcgookin Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.
Closed markmcgookin closed 3 years ago
JamesTran-MSFT
commented
3 years ago @markmcgookin Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.
jlichwa
commented
3 years ago Hello @markmcgookin for detail information and usage of Secret CSI Driver please refer to their documentation. This is just basic tutorial to get started. Secret CSI driver official documentation https://secrets-store-csi-driver.sigs.k8s.io/introduction.html
jlichwa
commented
3 years ago
See here for information on the issue.
From that page:
Following this tutorial, the AAD Pod Identity fails to work (the NMI Pod go into a crash loop on startup) and thus things never actually work.
Ideally someone needs to update the steps in this document to include a safe and secure work around for this issue.
This is a very complicated subject and a lot of people who just want to run a few containers with K8S as a managed service might not have the knowledge to work around this safely themselves.
EDIT: This might be 'avoided' by using the suggested version of 1.16.X mentioned in the tutorial... but that simply avoids the issue by leaving the users open to the security vulnerability as mentioned above 1.19.X is much more up to date (and thus has AAD Pod Identity Disabled for security reasons) and ideally the tutorial should be updated to support this.
The warning from that link seems to imply that if you were to enable this, and open yourself up to the risk of being spoofed, you need to take a number of other steps (possibly with every pod deployment on the cluster?!) to protect yourself... which seems crazy.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.