KubeKeeper is a Kubernetes extension that provides fine-grained access control and strong encryption for Kubernetes Secrets, preventing unauthorized access due to excessive permissions or insecure defaults. It integrates with Kubernetes Admission Control and does not require changes to application code. This project is based on our research paper, accepted at IEEE European Symposium on Security and Privacy (Euro S&P) 2025.

Kubernetes' built-in secrets management suffers from several critical limitations:

• Secrets are stored unencrypted by default.
• Even with RBAC, workloads/users can access any Secret in their Namespace if misconfigured.
• Excessive permissions are common, especially with third-party applications.

KubeKeeper addresses these issues by automatically encrypting Secrets and strictly controlling which Pods can access their decrypted values.

• Features
• Quick Start
• Example Usage
• Effectiveness Evaluation
• Performance Evaluation
• Citation

• Automatic Encryption: All Secrets are stored and transmitted in encrypted form.
• Fine-Grained Access Control: Only authorized Pods can decrypt and use specific Secrets.
• Seamless Integration: No changes required to your application code.
• Static Analysis Tool: Detects excessive permissions in your Kubernetes YAMLs.
• Minimal Overhead: No runtime impact on your workloads.

Run the provided script to install Kind and set up a local Kubernetes cluster:

./install_k8s.sh

To deploy KubeKeeper and its webhook server, simply run:

./deploy_kubekeeper.sh

Deploy a sample Secret (protected by KubeKeeper) and a Deployment that consumes this Secret:

./deploy_samples.sh

To deploy a protected Secret with KubeKeeper, simply add:

• the protected-secret: "true" label, and
• the secret-ownerships annotation specifying which Pod (or other workload) is authorized to access this Secret.

For any Pod (or Deployment) that should access a protected Secret, add the label:

• protected-secret-access: "true"

These minimal changes are all that’s needed—no changes to your application code are required. KubeKeeper’s admission controller and webhooks will handle the rest, automatically encrypting the Secret and ensuring only authorized Pods can decrypt and use it.

apiVersion: v1
kind: Secret
metadata:
  name: secret-data
  namespace: production
  annotations:
    secret-ownerships: "example-pod:Pod:production"
  labels:
    protected-secret: "true"
type: Opaque
data:
  sensitivedata: bmV3dGVzdAo=

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
  namespace: production
  labels:
    protected-secret-access: "true"
spec:
  volumes:
    - name: secret-volume
      secret:
        secretName: secret-data
  containers:
    - name: test-container
      image: nginx:1.14.2
      volumeMounts:
        - name: secret-volume
          mountPath: "/etc/secret-volume"

To reproduce the effectiveness evaluation results reported in our paper, you can use the scripts and datasets provided in the repository.

The evaluation scripts are located in evaluation/effectiveness-eval/.

• How to run:

1. Navigate to the evaluation directory:

   cd evaluation/effectiveness-eval/

2. Run the evaluation script:

   ./run.sh

This will execute our static analysis tool on all applications listed in the dataset, which is provided as text files in evaluation/dataset/.

To check the performance evaluation results, you can navigate to the performance evaluation directory and run the performance assessment Python script:

cd evaluation/performance-eval/
python3 assess.py

If you use KubeKeeper in your research, please cite:

  title={KubeKeeper: Protecting Kubernetes Secrets Against Excessive Permissions},
  author={Maryam Rostamipoor, Aliakbar Sadeghi, Michalis Polychronakis},
  booktitle={Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P)},
  year={2025}
}