当前位置：网站首页>Combine pod identity in aks and secret in CSI driver mount key vault

Combine pod identity in aks and secret in CSI driver mount key vault

2022-06-24 22:41:00 【mxy00000】

In a previous article, I introduced in AKS How to get through CSI driver This add on, take secret Automatically mount To pod in , By way of secret Put it in key vault Let the application automatically get , It can well protect the security of some confidential information

stay AKS Pass through CSI Driver mount key vault Medium secret

But there is a small problem with this approach , Before that, we used service principal mount Of secret, This requires that we need to AKS Create a secret, Inside storage service principal Of id and pwd, In general, if AKS The is responsible for operation and maintenance team Unified management , If the application team does not have permission , There is no problem with this approach , But if the application team also has AKS jurisdiction , This is not very good , Because it is possible that people in the application team may have permission to view secret In the value of the

So to avoid this , We can also use pod identity combination managed service identity Get all together token The steps are completely left to the backstage Azure complete , There is no need to have any obvious pwd Such traces

Let's take a look at the specific measures , This demo There are many preconditions required , If the steps are not covered in this article , You can refer to the following two articles

stay AKS Pass through CSI Driver mount key vault Medium secret

stay AKS Use in pod identity obtain token - practice

Environmental preparation ：

1. AKS Cluster * 1

2. User assigned managed identity * 1

3. Key Vault * 1

4. Kubectl client * 1

precondition ：

1. Create good AKS Cluster

2. Create good Key Vault

3. stay Key Vault Ready for testing secret

4. Create a test User assigned managed identity

5. by AKS Cluster Enable CSI driver add on

6. stay AKS Cluster Deploy pod identity component

Actual operation

to identity Authorized access secret

First, first User assigned managed identity Authorized access Key Vault Medium secret

stay AKS Combination of Chinese and Western Medicine pod identity as well as CSI Driver mount key vault Medium secret_Azure

Demo That's it. User assigned managed identity

stay AKS Combination of Chinese and Western Medicine pod identity as well as CSI Driver mount key vault Medium secret_Azure_02

Get ready yaml file

The next step is to prepare pod identity Medium Azure Identity and binding Deployment files and pod Deployment file for

AzureIdentity

       
       apiVersion
       
       : 
       
       "aadpodidentity.k8s.io/v1"
       
       kind
       
       : AzureIdentity
       
       metadata
       
       :
       
        name
       
       : <any-name>
       
       spec
       
       :
       
        type
       
       : 
       
       0
       
        resourceID
       
       : /subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<idname>
       
        clientID
       
       : <clientid>
      
1.
2.
3.
4.
5.
6.
7.
8.

AzureIdentityBinding

       
       apiVersion
       
       : 
       
       "aadpodidentity.k8s.io/v1"
       
       kind
       
       : AzureIdentityBinding
       
       metadata
       
       :
       
        name
       
       : <any-name>
       
       spec
       
       :
       
        azureIdentity
       
       : <name of the AzureIdentity created in previous step>
       
        selector
       
       : <label value to match in your pod>
      
1.
2.
3.
4.
5.
6.
7.

Get ready SecretProviderClass Of yaml

       
       apiVersion
       
       : secrets-store.csi.x-k8s.io/v1
       
       kind
       
       : SecretProviderClass
       
       metadata
       
       :
       
        name
       
       : azure-kvname-podid
       
       spec
       
       :
       
        provider
       
       : azure
       
        parameters
       
       :
       
        usePodIdentity
       
       : 
       
       "true"
       
        keyvaultName
       
       : 
       
       "kvname"
       
        objects
       
       : 
       
       |
       
        array:
       
        - |
       
        objectName: secret1
       
        objectType: secret # object types: secret, key or cert
       
        objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
       
        - |
       
        objectName: key1
       
        objectType: key
       
        objectVersion: ""
       
        tenantId
       
       : 
       
       "tid"                    
       
       # the tenant ID of the KeyVault
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.

Finally, prepare for the test pod yaml

       
       apiVersion
       
       : v1
       
       kind
       
       : Pod
       
       metadata
       
       :
       
        labels
       
       :
       
        app
       
       : podidentitykeyvault
       
        aadpodidbinding
       
       : keyvaultdemoselector
       
        name
       
       : podidentitykeyvault
       
       spec
       
       :
       
        containers
       
       :
       
        - 
       
       image
       
       : ***
       
        livenessProbe
       
       :
       
        httpGet
       
       :
       
        path
       
       : /
       
        port
       
       : 
       
       80
       
        initialDelaySeconds
       
       : 
       
       30
       
        periodSeconds
       
       : 
       
       20
       
        timeoutSeconds
       
       : 
       
       10
       
        failureThreshold
       
       : 
       
       3
       
        imagePullPolicy
       
       : Always
       
        name
       
       : podidentitysecret
       
        volumeMounts
       
       :
       
        - 
       
       mountPath
       
       : 
       
       "/mnt/secrets-store"
       
        name
       
       : secrets-store-inline
       
        readOnly
       
       : 
       
       true
       
        volumes
       
       :
       
        - 
       
       csi
       
       :
       
        driver
       
       : secrets-store.csi.k8s.io
       
        readOnly
       
       : 
       
       true
       
        volumeAttributes
       
       :
       
        secretProviderClass
       
       : 
       
       "azure-kv-demo"
       
        name
       
       : 
       
       "secrets-store-inline"
      
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.

Start deployment

      
      
       
       kubectl apply -f .\AzureIdentity.yml
       
       
kubectl apply -f .\AzureIdentityBinding.yml
      
      
      
      
       
       1.
       
       2.

stay AKS Combination of Chinese and Western Medicine pod identity as well as CSI Driver mount key vault Medium secret_Secret_03

The deployment process will not be described in detail , But you can see that after deployment ,Pod Run normally , And you can get secret

stay AKS Combination of Chinese and Western Medicine pod identity as well as CSI Driver mount key vault Medium secret_K8S_04

azure assigned identity It is also created normally

      
      
       
       kubectl get azureassignedidentity
      
      
      
      
       
       1.

stay AKS Combination of Chinese and Western Medicine pod identity as well as CSI Driver mount key vault Medium secret_Azure_05

原网站

版权声明
本文为[mxy00000]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202211224405631.html