Skip to content

Hardcoded Secret in Dex Authenticator ConfigMap #179

Description

@VF-mbrauer

While reviewing the ConfigMaps of the dex Kubernetes namespace, it was found that a secret is hardcoded and stored in clear text inside the ConfigMap dex-auth-dex-k8sauthenticator. Storing secret values in clear text within ConfigMaps potentially allows anyone with permissions to review ConfigMaps to obtain sensitive information, potentially causing other/unspecified harm.

#kubectl get cm -n dex dex-auth-dex-k8s-authenticator -oyaml

data:
  config.yaml: |-
    listen: http://0.0.0.0:5555
    web_path_prefix: /
    debug: false
    logo_uri: mylogo.logo.com
    clusters:
    - client_id: dex-k8s-authenticator
      client_secret: <mysecret-key>
      description: Please click here to generate the 24h token...
      issuer: https://my-url-to-dex```                              

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions