1. Overview

To inject secrets into your containers, first integrate Prisma Cloud with your secrets manager, and then set up rules for injecting specific secrets into specific containers.

Use the same procedure for injecting secrets in a Kubernetes cluster. Set up your rules to target specific containers, images, or labels. Make sure Kubernetes uses dockerd and Prisma Cloud is running in local socket mode.

2. Injecting secrets into containers

After integrating your secrets store with Prisma Cloud, specify which secrets should be injected into which containers. To do this, create the appropriate rules in Console.

Secrets can be injected as environment variables or as files.

For secrets injected as environment variables: if there is a collision between a predefined environment variable and an injected secret, the value of the environment variable will always be the value of the secret.

For security reasons, secrets injected as environment variables are only exposed to the container’s main process and children of the main process.

For secrets injected as files: they can be found in /run/secrets/<SECRET_NAME>, where the contents of the file contain the secret’s value. By default, secrets can only be read by root users in the container space. If you run your containers as non-root users, configure the injection rule to make the secrets readable by all users. Prisma Cloud can set the access permissions of the injected secrets file to read-only for the 'others' class of users. For more information about access permissions and 'others', see the chmod man page.

Secrets injection currently only works with image labels, not container or host labels.

Prerequisite: You’ve already created a secret in your store or vault.

  1. In Console, go to Defend > Access > Secrets.

  2. Click Add new secrets rule.

  3. Specify a name for your rule.

  4. Specify how your secret(s) should be injected. You can choose between environment variables and files.

    If you choose files, you can select how the files are injected into the container. By default, the files are readable by root users only. If your containers run as non-root users, select All Users. The All Users option makes the files readable by any user by setting read permission for the others class of users.

  5. Create a list of secrets from your store that you want to inject into your container(s). Under Add secret:

    1. Specify a secret name.

      When you inject secrets as environment variables, this field specifies the environment variable name.

      When you inject secrets as files, this field specifies the file name.

    2. Specify the store where the secret is stored. The drop-down list contains any store that you integrated with Prisma Cloud.

    3. Specify the secret’s path and key.

    4. Click Add Secret. It is added to the list of secrets.

    5. Repeat steps a through d for as many secrets that must be included in your rule.

  6. Specify a filter for your rule. By default, all secrets are injected into all containers on all hosts.

  7. Click Add.

  8. Verify that your secrets are properly injected.

    For example, assuming your rule targets the alpine container and secrets are injected as environment variables, run the following commands:

    Default rules target all resources in the environment. The Containers, Images, Hosts, and Labels fields are set to wildcards. If your rule is set up this way, then your secrets will be injected into the alpine container.
    $ docker run -it alpine:latest /bin/sh
    / # printenv

    If your secrets are injected as files, and you left Target directory unspecified in your rule, then your secrets are injected into /run/secrets/, where <SECRET-NAME> is the name of the injected file, as specified in your rule.

    $ docker run -it alpine:latest /bin/sh
    / # cat /run/secrets/<SECRET-NAME>