Reading Time: 3 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

When working with Kubernetes and secrets in particular you will know that they are not secure by default. In fact, they are just base64 encoded strings which can be easily decoded. You can use other tools to keep your secrets safe and then allow Kubernetes to access them. In this blog post I am going to talk about the secrets store csi driver and key vault. https://azure.github.io/secrets-store-csi-driver-provider-azure/

Currently this can be installed via helm or Kubernetes manifest files which is nice, but if you are running Azure Kubernetes Service (AKS) like me you have heard about AKS add-ons. The AKS product team are releasing so many cool addons to make our life easier.

Every now and then I look at the az cli aks-preview extension and I came across a new addon to install and manage the secrets store csi driver that I have not seen announced or any docs for so I thought I would give it ago.

Warning

Everything below is currently in preview and could change.

You will need to have the latest AKS-preview extension. If you have it installed already just use the following to upgrade.

Shell

If you have not installed it before you can do so using the following.

Shell

Next you will need to register the new feature. You can do that by using the following. Please note it can take a while, sometimes even 30 minutes.

Shell

After a while run the below command till it says registered.

Shell

Now you will need to re-register the ContainerService provider to enable the new feature. To do that just run the following.

Shell

Now comes the AKS add-on. You can Install this add-on on cluster creation in the same way you would other add-ons or below you will see the option to upgrade an existing AKS cluster. Just change the resource group and cluster name to yours.

Shell

Now if you look at the pods running in the kube-system namespace you will see the new secrets-store pods.

Shell

That’s the secret store csi driver installed, you just need to configure it next.

When you create an AKS cluster a Managed identity is created. This is normally called “clustername-agentpool”. You need to give this managed identity access to the key vault your secrets, keys, and certificates are stored in. To find the client ID and set the key vault access use the following. Just make sure you change the cluster resource group, cluster name and key vault name.

Shell

Now you need to create a SecretProviderClass object in your cluster. This object will let the cluster know about the key vault and what identity to use to get the information from key vault. Below is a template, you just need to fill it in with your information.

Information

This is a SecretProviderClass example using user-assigned identity to access Key Vault

JSON

Once you have that deployed you can use the following pod example to see how to let your pods access information from key vault.

Information

This is a sample pod definition for using SecretProviderClass and user-assigned identity to access Key Vault

JSON

I hope you found this article helpful. If you have any questions or comments please reach out.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

2 Comments

David · August 5, 2021 at 3:27 pm

Just wondering what customisations you have on windows terminal to show the azure subscription etc?

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *