When working with Kubernetes and secrets in particular you will know that they are not secure by default. In fact, they are just base64 encoded strings which can be easily decoded. You can use other tools to keep your secrets safe and then allow Kubernetes to access them. In this blog post I am going to talk about the secrets store csi driver and key vault. https://azure.github.io/secrets-store-csi-driver-provider-azure/
Currently this can be installed via helm or Kubernetes manifest files which is nice, but if you are running Azure Kubernetes Service (AKS) like me you have heard about AKS add-ons. The AKS product team are releasing so many cool addons to make our life easier.
Every now and then I look at the az cli aks-preview extension and I came across a new addon to install and manage the secrets store csi driver that I have not seen announced or any docs for so I thought I would give it ago.
You will need to have the latest AKS-preview extension. If you have it installed already just use the following to upgrade.
If you have not installed it before you can do so using the following.
Next you will need to register the new feature. You can do that by using the following. Please note it can take a while, sometimes even 30 minutes.
After a while run the below command till it says registered.
Now you will need to re-register the ContainerService provider to enable the new feature. To do that just run the following.
Now comes the AKS add-on. You can Install this add-on on cluster creation in the same way you would other add-ons or below you will see the option to upgrade an existing AKS cluster. Just change the resource group and cluster name to yours.
Now if you look at the pods running in the kube-system namespace you will see the new secrets-store pods.
That’s the secret store csi driver installed, you just need to configure it next.
When you create an AKS cluster a Managed identity is created. This is normally called “clustername-agentpool”. You need to give this managed identity access to the key vault your secrets, keys, and certificates are stored in. To find the client ID and set the key vault access use the following. Just make sure you change the cluster resource group, cluster name and key vault name.
Now you need to create a SecretProviderClass object in your cluster. This object will let the cluster know about the key vault and what identity to use to get the information from key vault. Below is a template, you just need to fill it in with your information.
Once you have that deployed you can use the following pod example to see how to let your pods access information from key vault.
I hope you found this article helpful. If you have any questions or comments please reach out.