Skip to content

Kubeconfig Security Considerations

This document outlines important security considerations when working with kubeconfig files for InSpec container scanning.

File Permissions

Always set restrictive permissions on kubeconfig files:

1
chmod 600 kubeconfig.yaml

This ensures only the file owner can read or write to the file, preventing unauthorized access.

Token Expiration

Service account tokens have expiration times. For enhanced security, use shorter-lived tokens:

1
2
3
4
5
# Create a kubeconfig with a short-lived token (5 minutes)
TOKEN=$(kubectl create token inspec-scanner -n inspec-test --duration=5m)
# ... create kubeconfig ...

# After token expiration, kubeconfig must be regenerated

In CI/CD environments, generate tokens with just enough time for the scanning job to complete.

Namespace Limitation

The kubeconfig sets a default namespace, but doesn't restrict access to that namespace. Access control still relies on the RBAC configuration. For proper security:

  1. Apply appropriate RBAC rules to limit service accounts
  2. Use label-based RBAC for fine-grained access control
  3. Specify the namespace in the context to set a default, but don't rely on it for security

Environment Variable Security

When using the KUBECONFIG environment variable:

1
KUBECONFIG=./secure-kubeconfig.yaml kubectl get pods

Be aware that environment variables may be visible in process listings or logs. In shared environments, prefer file-based configuration with proper permissions.

Secret Management

In CI/CD environments, store kubeconfig files as secrets:

GitHub Actions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Configure Kubernetes
        run: |
          mkdir -p $HOME/.kube
          echo "$KUBE_CONFIG" > $HOME/.kube/config
          chmod 600 $HOME/.kube/config
        env:
          KUBE_CONFIG: ${{ secrets.KUBECONFIG }}

GitLab CI

1
2
3
4
5
6
7
8
9
container-scan:
  stage: scan
  script:
    - mkdir -p $HOME/.kube
    - echo "$KUBE_CONFIG" > $HOME/.kube/config
    - chmod 600 $HOME/.kube/config
    - cinc-auditor exec profile -t k8s-container://namespace/pod/container
  variables:
    KUBE_CONFIG: ${{ secrets.KUBECONFIG }}

Multiple Environments

For different environments (dev, test, prod), create separate kubeconfig files with appropriate RBAC permissions:

1
2
3
4
5
# Development - may have more permissive rights
./generate-kubeconfig.sh dev-namespace inspec-scanner-dev ./kubeconfig-dev.yaml

# Production - should have more restricted rights
./generate-kubeconfig.sh prod-namespace inspec-scanner-prod ./kubeconfig-prod.yaml

This approach prevents development credentials from accessing production systems.

Audit and Rotation

Regularly rotate service account tokens and audit kubeconfig usage:

1
2
3
4
5
6
# Recreate the service account to invalidate all existing tokens
kubectl delete sa inspec-scanner -n inspec-test
kubectl create sa inspec-scanner -n inspec-test

# Generate new kubeconfig
./generate-kubeconfig.sh inspec-test inspec-scanner ./new-kubeconfig.yaml