How to secure docker private registry credentials used in Kubernetes cluster nodes and namespaces?

  docker, docker-registry, kubernetes

Trying to see if there are any recommended or better approaches since docker login my.registry.com creates config.json with user id and password and it’s not encrypted. Anyone logged into the node or jumpbox where there images are pushed/pulled from a private registry can easily see the registry credentials. Coming to using those credentials for Kubernetes deployment, I believe only option is to convert that into regcred and refer to that as imagePullSecrets in YAML files. The secret can be namespace scoped but still has the risk of exposing the data to other users who may have access t that namesapce since k8s secrets are simply base64 encoded, not really encrypted.

Are there any recommended tools/plugins to secure and/or encrypt these credentials without involving external API calls?

I have heard about Bitnami sealed secrets but haven’t explored that yet, would like to hear from others since this is a very common issue for any team/application that are starting containers journey.

Source: Docker Questions

LEAVE A COMMENT