HashiCorp Vault 用于填充 kubernetes 的秘密
[英]HashiCorp Vault to populate kubernetes secrets
问题描述
Recently I learned about HashiCorp Vault and its usage combined with Kubernetes.
最近我了解了 HashiCorp Vault 及其与 Kubernetes 结合的用法。 I've found two really awesome blog post about how you can use HashiCorp Vault to generate creds on the fly by using an init-container and shared volume ( post1 , post2 ).我发现了两篇非常棒的博客文章,内容是关于如何使用 HashiCorp Vault 通过使用 init-container 和共享卷( post1 、 post2 ) 动态生成凭证。 Kubernetes also provides a good way to handle credentials with Kubernetes secrets, that also empowers one to read the credentials via environment variables. Kubernetes 还提供了一种使用 Kubernetes 机密处理凭据的好方法,这也使人们能够通过环境变量读取凭据。 Therefore, it provides a nice abstraction to the secret storage.因此,它为秘密存储提供了一个很好的抽象。
My question is could HashiCorp Vault also be used to populate Kubernetes Secrets with credentials and how could that be achieved?我的问题是 HashiCorp Vault 是否也可用于使用凭证填充 Kubernetes Secrets,如何实现?
3 个解决方案
解决方案1
6 已采纳 2018-10-17 21:01:16
As the @Rico mentioned exposing the secrets both in Vault and in Kubernetes defeats the purpose of using Vault in the first place. 正如@Rico所提到的那样暴露了Vault和Kubernetes中的秘密,首先打败了使用Vault的目的。
With Vault, data is encrypted (transit/rest), and you can provide an access grained control over who can access what data. 使用Vault,数据被加密(传输/休息),您可以提供对谁可以访问哪些数据的访问粒度控制。 Exposing the data inside Vault to a Kubernetes Secret object which is basically limited to base64 encoding, will largely defeat the greatest benefit of Vault , which is to secure your Infrastructure and being the single entity responsible for managing your secrets. 内库的数据暴露在Kubernetes秘密对象,基本上仅限于base64编码,将在很大程度上击败库的最大好处,这是为了保护您的基础架构,并负责管理你的秘密的单一实体。
Vault is an awesome tool, but in my perception it can get quite more complex for non-dev configurations, since you are going to have to attach the likes of Consul so you can have a persistent backend storage, therefore utilizing an architectural distributed pattern such as the sidecar pattern might also be extremely overkill and not recommended at all. Vault是一个很棒的工具,但是在我看来,对于非开发配置来说它会变得非常复杂,因为你将不得不附加Consul这样的东西,这样你就可以拥有一个持久的后端存储,因此利用架构分布式模式,如因为边车模式也可能非常矫枉过正,根本不推荐。
- But with it you could have a vault instance "living" in the same Pod as your "main" container, therefore leveraging the encryption service provided by Vault, but we would be tying the lifecycle of Vault to the lifecycle of the Pod. 但是使用它你可以将一个保险库实例“生活”在与“主”容器相同的Pod中,从而利用Vault提供的加密服务,但我们将Vault的生命周期与Pod的生命周期联系起来。
- With this approach we would be required to have a Vault instance on each Pod, in case we plan on having to access secret information, which will just make the system extremely more complex. 使用这种方法,我们需要在每个Pod上都有一个Vault实例,以防我们计划访问秘密信息,这只会使系统变得非常复杂。 With this approach we could separate the secret information required for each object on multiple vault instances and therefore spreading the secret information of our infrastructure to multiple places, but we keep on increasing the challenge of managing our infrastructure. 通过这种方法,我们可以将多个保险库实例上每个对象所需的秘密信息分开,从而将我们基础设施的秘密信息传播到多个地方,但我们不断增加管理基础设施的挑战。
So I definitely understand that trying to find a way to have the secret information required for a Pod right next to it might seem tempting, specially in a simple manner, but it would definitely defeat the purpose if it is just left completely unencrypted. 所以我当然明白,试图找到一种方法来获取Pod旁边所需的秘密信息可能看起来很诱人,特别是以一种简单的方式,但如果它完全没有加密就肯定会失败。
With this out of the way, why not simply create a Vault controller which will be the entity responsible to interact with Vault and whose is going to be responsible for querying Vault for Wrapped Tokens, which can temporarily give access to certain secret information, after being unwrapped by an init container inside the Pod? 有了这个,为什么不简单地创建一个Vault控制器,它将是负责与Vault交互的实体,它将负责查询Vault for Wrapped Tokens,它可以暂时允许访问某些秘密信息。在Pod内部的init容器解包? Is that due to the extra time required for starting up a Pod, since we need to perform some early calls in order to retrieve an Wrapped Token? 这是由于启动Pod所需的额外时间,因为我们需要执行一些早期调用才能检索Wrapped Token? Or is ut due to the extra latency of having to perform extra calls whenever it is necessary to query secret data from Vault? 或者是因为每当需要从Vault查询秘密数据时必须执行额外调用的额外延迟?
Whenever I think about the idea of integrating Kubernetes and Vault, I generally tend to think about the following prototype created by Kelsey Hightower explained here . 每当我想起整合Kubernetes和跳马的想法,我一般倾向于认为有关凯尔西海托创建的原型如下解释这里 。
解决方案2
3 2018-10-17 19:53:00
My question is could HashiCorp Vault also be used to populate Kubernetes Secrets with credentials and how could that be achieved?
Yes and no. 是的,不是。
No: There's no support either from the Kubernetes or Vault side. 否:Kubernetes或Vault方面都没有支持。 There's only support to use a Service Account to authenticate with Vault. 仅支持使用服务帐户对Vault进行身份验证。 A bigger question would be why you would want Vault to populate secrets in Kubernetes secrets since they are already 'secure' in Vault. 一个更大的问题是,为什么你希望Vault在Kubernetes秘密中填充秘密,因为它们已经在Vault中“安全”了。
Yes: You'll have to build your own automation. 是的:你必须建立自己的自动化。 Something like this for all your secrets: 对于你所有的秘密,这样的事情:
kubectl create secret generic mynicepass2 --from-literal=key1=`vault read <your-secret>`
解决方案3
1 2021-11-16 15:58:22
Some newer things, considering that 3 years have passed:考虑到 3 年过去了,一些更新的东西:
That is possible with BanzaiCloud's mutating webhook , in particular pay attention to BanzaiCloud's mutating webhook BanzaiCloud 的 mutating webhook可以做到这一点,尤其要注意BanzaiCloud 的 mutating webhook
For sure you need to consider things mentioned by Andre: you will end up with Kubernetes secret with that secret data (instead of secret data being injected into POD)当然,您需要考虑安德烈提到的事情:您最终会得到带有该秘密数据的 Kubernetes 秘密(而不是将秘密数据注入 POD)
There is also Vault CSI provider还有Vault CSI 提供者
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.