当前位置：网站首页>In aks, use secret in CSI driver mount key vault

In aks, use secret in CSI driver mount key vault

2022-07-01 16:58:00 【mxy00000】

What will this article introduce , You should be able to see it in the title , This article mainly introduces how to AKS Lieutenant general Azure Key Vault Medium secret mount To storage in , This scenario should be regarded as a very standard security design , For example, some confidential information is generally recommended to be placed in Key Vault in , It would be safer , for instance , Database or application username and pwd, Put it in Key Vault in , And then let pod Auto read key vault Information in , This can avoid the risk of information disclosure to the greatest extent

And if you want to achieve this , You need to use the content introduced today , Mainly through CSI driver To achieve , It used to be called Flex Volume, obtain secret The content in must have permission , There are many ways to get authorization , Include service principal,pod identity,vmss identity Many other kinds , This time, we mainly use service principal The way

First of all, I will briefly introduce the contents that need to be prepared , It contains so many things

One AKS Cluster
One SP, And corresponding client id and pwd
One Key Vault, stay Key Vault Configure some in secret
add to Access Policy to SP Authorized access secret
For deployment yaml file

establish cluster,service principal（SP） as well as key vault I won't introduce the steps of

Go straight to work , Take a look first key vault The following secret

stay AKS Pass through CSI Driver mount key vault Medium secret_Cloud

Now add a access policy, to service principal grant secret Of get,list jurisdiction

stay AKS Pass through CSI Driver mount key vault Medium secret_Cloud_02

Then first K8S Create a secret, This secret Will contain service principal Of id and pwd,csi driver Will read this secret And then through service principal Of id and pwd Get token, Then pull key vault Inside secret

       
       kubectl create secret generic keyvaultsecret 
       
       --from
       
       -literal 
       
       clientid
       
       =<AZURE_CLIENT_ID> 
       
       --from
       
       -literal 
       
       clientsecret
       
       =<AZURE_CLIENT_SECRET>
       
kubectl label secret keyvaultsecret secrets-store.csi.k8s.io
       
       /used
       
       =
       
       true
      
1.
2.

stay AKS Pass through CSI Driver mount key vault Medium secret_secret_03

Next, prepare for deployment yaml file ,yaml There are two main documents

SecretProviderClass yaml, Used to describe what to get secret And how to get secret
App yaml, Regular application deployment yaml, contain mountpath And the use of secret

SecretProviderClass yaml

       
       apiVersion
       
       : secrets-store.csi.x-k8s.io/v1
       
       kind
       
       : SecretProviderClass
       
       metadata
       
       :
       
        name
       
       : 
       
       "spc-keyvault" 
       
        namespace
       
       : 
       
       "default" 
       
       spec
       
       :
       
        provider
       
       : azure                   
       
        parameters
       
       :
       
        usePodIdentity
       
       : 
       
       "false"
       
        useVMManagedIdentity
       
       : 
       
       "false"
       
        userAssignedIdentityID
       
       : 
       
       "***" 
       
       # Service Principal ID
       
        keyvaultName
       
       : 
       
       "mxyvault"
       
        objects
       
       : 
       
       | 
       
        array:
       
        - |
       
        objectName: username
       
        objectType: secret
       
        - |
       
        objectName: userpwd
       
        objectType: secret
       
        tenantId
       
       : 
       
       "****" 
       
       # tenant ID
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.

App yaml

       
       apiVersion
       
       : apps/v1
       
       kind
       
       : Deployment
       
       metadata
       
       :
       
        labels
       
       :
       
        app
       
       : apachesecret
       
        name
       
       : apachesecret
       
       spec
       
       :
       
        replicas
       
       : 
       
       2
       
        selector
       
       :
       
        matchLabels
       
       :
       
        app
       
       : apachesecret
       
        strategy
       
       :
       
        rollingUpdate
       
       :
       
        maxSurge
       
       : 
       
       1
       
        maxUnavailable
       
       : 
       
       1
       
        type
       
       : RollingUpdate
       
        template
       
       :
       
        metadata
       
       :
       
        labels
       
       :
       
        app
       
       : apachesecret
       
        name
       
       : apachesecret
       
        spec
       
       :
       
        containers
       
       :
       
        - 
       
       image
       
       : *****
       
        livenessProbe
       
       :
       
        httpGet
       
       :
       
        path
       
       : /
       
        port
       
       : 
       
       80
       
        initialDelaySeconds
       
       : 
       
       30
       
        periodSeconds
       
       : 
       
       20
       
        timeoutSeconds
       
       : 
       
       10
       
        failureThreshold
       
       : 
       
       3
       
        imagePullPolicy
       
       : Always
       
        name
       
       : apachesecret
       
        volumeMounts
       
       :
       
        - 
       
       mountPath
       
       : 
       
       "/mnt/secrets-store"
       
        name
       
       : secrets-store-inline
       
        readOnly
       
       : 
       
       true
       
        volumes
       
       :
       
        - 
       
       csi
       
       :
       
        driver
       
       : secrets-store.csi.k8s.io
       
        nodePublishSecretRef
       
       :
       
        name
       
       : keyvaultsecret
       
        readOnly
       
       : 
       
       true
       
        volumeAttributes
       
       :
       
        secretProviderClass
       
       : 
       
       "spc-keyvault"
       
        name
       
       : 
       
       "secrets-store-inline"
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.

It's a simple one demo It's almost done , Next, before deployment , You need to give it first AKS Turn on add on, otherwise secret provider class This resource Will not be recognized

       
       az aks enable-addons 
       
       --addons azure-keyvault-secrets-provider 
       
       --name myAKSCluster 
       
       --resource
       
       -group myResourceGroup
      
1.

stay AKS Pass through CSI Driver mount key vault Medium secret_Cloud_04

Then you can start deployment

       
       kubectl apply 
       
       -f 
       
       "D:\UserData\Desktop\ApacheSecretProviderClassyml.yaml"
       
kubectl apply 
       
       -f 
       
       "D:\UserData\Desktop\ApacheSecretDeployment.yml"
      
1.
2.

stay AKS Pass through CSI Driver mount key vault Medium secret_secret_05

You can see pod It's already running

stay AKS Pass through CSI Driver mount key vault Medium secret_vault_06

And into pod in , You can also see secret Have succeeded pull down

stay AKS Pass through CSI Driver mount key vault Medium secret_Cloud_07

原网站

版权声明
本文为[mxy00000]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202152336280442.html

当前位置：网站首页>In aks, use secret in CSI driver mount key vault

In aks, use secret in CSI driver mount key vault

边栏推荐

猜你喜欢

随机推荐