Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
b
bored-postman-37838
09/02/2022, 8:55 PMHi I'm using rancher 2.6.3 and I just found that rancher actually explicitly exposes all the values on GUI in Secrets. This looks super crazy to me. Does anyone have some idea about it?
c
creamy-pencil-82913
09/02/2022, 9:02 PMDid you think that things in secrets weren’t just like, there in the cluster?
they’re just a configmap with a different name and RBAC
b
bored-postman-37838
09/06/2022, 5:07 PM@creamy-pencil-82913 If people use their account to login to a docker registry, they will expose their credential to everyone. Is there any way they can login to the docker registry without the leak?
c
creamy-pencil-82913
09/06/2022, 5:16 PMwhat do you mean leak? You mean you have users putting their credentials in secrets?
Anything you put in a secret can be read by anyone with access to read secrets. That is how Kubernetes works.
b
bored-postman-37838
09/06/2022, 5:20 PMOK. Thanks for clarification. In that case, how do we enable users to pull a docker image?
c
creamy-pencil-82913
09/06/2022, 5:31 PMis making the images pullable without authentication not an option?
In RKE2 or K3s you can can also configure auth at the container runtime level by placing the registry credentials in registries.yaml
b
bored-postman-37838
09/06/2022, 5:34 PMHmmm we need a credential to pull from our private registry. We are using k8s on aws (EKS) in our cluster
c
creamy-pencil-82913
09/06/2022, 5:39 PMHave you considered using IAM node roles on your EC2 instances to grant access to ECR?
This doesn’t really sound like a Rancher problem though…
b
bored-postman-37838
09/06/2022, 5:44 PMWe don’t use ECR but Artifactory so we cannot use IAM to access it. Is it possible to have a global registry credential that everyone in the cluster can share?