@@ -270,13 +270,15 @@ sensitive data such as password, OAuth tokens, etc. This project provides integr
270270accessible by Spring Boot applications. This feature can be explicitly enabled/disabled using the `spring.cloud.kubernetes.secrets.enabled` property.
271271
272272The `SecretsPropertySource` when enabled will lookup Kubernetes for `Secrets` from the following sources:
273- 1. reading recursively from secrets mounts
274- 2. named after the application (as defined by `spring.application.name`)
275- 3. matching some labels
273+
274+ . reading recursively from secrets mounts
275+ . named after the application (as defined by `spring.application.name`)
276+ . matching some labels
276277
277278Please note that by default, consuming Secrets via API (points 2 and 3 above) **is not enabled** for security reasons
278- and it is recommend that containers share secrets via mounted volumes. Otherwise proper RBAC security configurations must be provided
279- to make sure that unauthorized access to Secrets occurs.
279+ and it is recommended that containers share secrets via mounted volumes.
280+ If you enable consuming Secrets via API, then it is recommended access to Secrets is limited by an
281+ [authorization policy such as RBAC](https://kubernetes.io/docs/concepts/configuration/secret/#best-practices).
280282
281283If the secrets are found their data is made available to the application.
282284
@@ -755,4 +757,4 @@ added after the original pull request but before a merge.
755757 other target branch in the main project).
756758* When writing a commit message please follow http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html[these conventions],
757759 if you are fixing an existing issue please add `Fixes gh-XXXX` at the end of the commit
758- message (where XXXX is the issue number).
760+ message (where XXXX is the issue number).
0 commit comments