https://rancher.com/ logo
Title
b

bored-postman-37838

09/02/2022, 8:55 PM
Hi I'm using rancher 2.6.3 and I just found that rancher actually explicitly exposes all the values on GUI in Secrets. This looks super crazy to me. Does anyone have some idea about it?
c

creamy-pencil-82913

09/02/2022, 9:02 PM
Did you think that things in secrets weren’t just like, there in the cluster?
they’re just a configmap with a different name and RBAC
b

bored-postman-37838

09/06/2022, 5:07 PM
@creamy-pencil-82913 If people use their account to login to a docker registry, they will expose their credential to everyone. Is there any way they can login to the docker registry without the leak?
c

creamy-pencil-82913

09/06/2022, 5:16 PM
what do you mean leak? You mean you have users putting their credentials in secrets?
Anything you put in a secret can be read by anyone with access to read secrets. That is how Kubernetes works.
b

bored-postman-37838

09/06/2022, 5:20 PM
OK. Thanks for clarification. In that case, how do we enable users to pull a docker image?
c

creamy-pencil-82913

09/06/2022, 5:31 PM
is making the images pullable without authentication not an option?
In RKE2 or K3s you can can also configure auth at the container runtime level by placing the registry credentials in registries.yaml
b

bored-postman-37838

09/06/2022, 5:34 PM
Hmmm we need a credential to pull from our private registry. We are using k8s on aws (EKS) in our cluster
c

creamy-pencil-82913

09/06/2022, 5:39 PM
Have you considered using IAM node roles on your EC2 instances to grant access to ECR?
This doesn’t really sound like a Rancher problem though…
b

bored-postman-37838

09/06/2022, 5:44 PM
We don’t use ECR but Artifactory so we cannot use IAM to access it. Is it possible to have a global registry credential that everyone in the cluster can share?