Name: secret-mutator-admission-webhook
Author: cloud-army

Primary Use Case

This tool is used to automate the injection of secrets stored in Google Cloud Platform's Secret Manager into Kubernetes pods without exposing them directly in pod specs, enhancing security and compliance. It is ideal for Kubernetes administrators and DevOps teams running workloads on GKE with Workload Identity enabled who want to enforce secret management best practices and comply with CIS Kubernetes Benchmarks.

Key Features

Mutating admission webhook for Kubernetes to inject secrets at pod creation

Reads secrets directly from GCP Secret Manager

Injects secrets as environment variables into container subprocesses

Supports Workload Identity integration between Kubernetes Service Account and GCP Service Account

Helm chart based installation for easy deployment

Requires cert-manager for TLS certificate management

Namespace labeling to enable secret injection selectively

Compliance support for CIS Kubernetes Benchmark v1.5.1 control 5.4.1

Insights & Recommendations

This tool requires a GKE cluster with Workload Identity enabled and proper IAM role assignments for the GCP Service Account. Cert-manager must be installed to manage TLS certificates for the webhook. Only namespaces labeled with 'admission-webhook=enabled' will have secrets injected, ensuring selective application. For testing, a custom Docker image with an entrypoint script printing environment variables is recommended. This tool helps comply with CIS Kubernetes Benchmark control 5.4.1 by avoiding direct secret exposure in pod specs.

Installation

Ensure GKE cluster with Workload Identity enabled and KSA-GSA binding configured
Assign roles/secretmanager.secretAccessor IAM role to the GCP Service Account
Install cert-manager controller on the Kubernetes cluster
Label the target namespace with 'admission-webhook=enabled' to activate secret injection
Add the Helm repo: helm repo add cloud-army https://cloud-army.github.io/helm-charts
Install the admission webhook using Helm: helm install cloud-army-secret-injector cloud-army/cloud-army-secret-injector
Verify webhook pods, services, and deployments are running in the 'mutator' namespace

Usage

kubectl label namespaces [applications_namespace] admission-webhook=enabled

Labels the namespace to enable the admission webhook for secret injection.

helm repo add cloud-army https://cloud-army.github.io/helm-charts

Adds the Cloud-Army Helm chart repository to your Helm client.

helm install cloud-army-secret-injector cloud-army/cloud-army-secret-injector

Installs the secret mutator admission webhook into the Kubernetes cluster.

kubectl apply -f manifests/pods-example/pod-example.yaml

Deploys a test pod that retrieves secrets from GCP Secret Manager and prints them in the pod console.

Smart Usage Notes

Integrate with Kubernetes admission controllers to enforce secret injection policies dynamically.Combine with automated compliance scanning tools to continuously validate CIS Kubernetes Benchmark adherence.Leverage Workload Identity bindings to minimize risk of secret leakage and privilege escalation.Use namespace labeling to selectively enable secret injection, reducing attack surface.Deploy in CI/CD pipelines to automate secure secret management before production rollout.

OpenSec Atlas

secret-mutator-admission-webhook

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like