Even if both the application and Secretless are supposed to be running on a trusted network within Kubernetes/Openshift, what would be the best way to encrypt traffic between the application and Secretless?
Can Secretless act as an HTTPs proxy? (currently Secretless refuses CONNECT method for obvious reasons)
The documentation mentions overlay networks and pod colocation for Kubernetes but I am not sure it can help to achieve mTLS between the application and Secretless.
(mTLS could be used to ensure any malicious container that got injected in the pod won’t be able to leverage Secretless to access a target service)
First I should note that we don’t by default encrypt the traffic between the application and Secretless since this is by design a local connection. We recommend using the native properties of the system to prevent unauthorized external entities from gaining access to the app’s local environment, so that encryption of the local connection isn’t critical.
We have considered optionally enabling local encryption for the app-to-Secretless connection, but to design a useful solution we would need to understand the use case better. It’s also not clear the cost of implementing a solution like this is commensurate with the security benefit - we’d have to implement this in such a way that the app could securely connect to Secretless in the local environment, but a hacker with access to the same local environment couldn’t still impersonate the app, which presents challenges.
Since this has come up before, I did log an issue for it here and labeled it as needing more info. I’d be glad if anyone interested in this use case could add more information to the ticket with what they’d be looking for in a solution like this.
Thanks for asking! I’ll check with the Secretless team to see if they have any other recommendations for securing the app’s local environment, too.