如何使用托管身份从 Azure Kubernetes 服务 (AKS) 访问 Azure Key Vault (AKV)
[英]How to access Azure Key Vault (AKV) from Azure Kubernetes Service (AKS) using Managed Identities
问题描述
We have some dotnet Core App Services running on Azure and using Azure key Vault with Managed Identities.
我们有一些 dotnet 核心应用服务在 Azure 上运行,并使用带有托管身份的 Azure 密钥保管库。
Planning to deploy these dotnet core services to azure kubernetes but I haven't found any relevant document/support to use AKV with Kubernetes Services.计划将这些 dotnet 核心服务部署到 azure kubernetes,但我还没有找到任何相关文档/支持将 AKV 与 Kubernetes 服务一起使用。 Any Guidance or references任何指导或参考
1 个解决方案
解决方案1
3 2019-09-15 06:24:44
There are a couple of options to access KV from AKS:从 AKS 访问 KV 有几个选项:
Use Azure Key Vault with FlexVol ( deprecated . continue to use this for kubernetes version 1.15)
将 Azure Key Vault 与 FlexVol一起使用(已弃用。继续将其用于 kubernetes 版本 1.15)With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates.
使用 Key Vault,您可以存储并定期轮换机密信息,例如凭据、存储帐户密钥或证书。 You can integrate Azure Key Vault with an AKS cluster using a FlexVolume.可以使用 FlexVolume 将 Azure Key Vault 与 AKS 群集集成。 The FlexVolume driver lets the AKS cluster natively retrieve credentials from Key Vault and securely provide them only to the requesting pod. FlexVolume 驱动程序允许 AKS 群集从 Key Vault 本地检索凭据,并仅将它们安全地提供给发出请求的 Pod。 Work with your cluster operator to deploy the Key Vault FlexVol driver onto the AKS nodes.与群集运营商合作,将 Key Vault FlexVol 驱动程序部署到 AKS 节点上。 You can use a pod managed identity to request access to Key Vault and retrieve the credentials you need through the FlexVolume driver.您可以使用 Pod 托管标识请求访问 Key Vault 并通过 FlexVolume 驱动程序检索所需的凭据。Azure Key Vault with FlexVol is intended for use with applications and services running on Linux pods and nodes.
带有 FlexVol 的 Azure Key Vault 旨在与在 Linux pod 和节点上运行的应用程序和服务一起使用。Use Azure Key Vault Provider for Secrets Store CSI Driver (For kubernetes 1.16+)
将 Azure Key Vault Provider 用于 Secrets Store CSI 驱动程序(适用于 kubernetes 1.16+)Azure Key Vault provider for Secrets Store CSI driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.
Secrets Store CSI 驱动程序的 Azure Key Vault 提供程序允许您获取存储在 Azure Key Vault 实例中的机密内容,并使用 Secrets Store CSI 驱动程序接口将它们挂载到 Kubernetes pod 中。Use pod managed identities
使用 Pod 管理的身份A managed identity for Azure resources lets a pod authenticate itself against any service in Azure that supports it such as Storage, SQL.
Azure 资源的托管标识使 Pod 可以针对 Azure 中支持它的任何服务(例如存储、SQL)对自身进行身份验证。 The pod is assigned an Azure Identity that lets them authenticate to Azure Active Directory and receive a digital token. Pod 被分配了一个 Azure 标识,允许它们通过 Azure Active Directory 进行身份验证并接收数字令牌。 This digital token can be presented to other Azure services that check if the pod is authorized to access the service and perform the required actions.此数字令牌可提供给其他 Azure 服务,这些服务检查 Pod 是否有权访问该服务并执行所需的操作。 This approach means that no secrets are required for database connection strings, for example.例如,这种方法意味着数据库连接字符串不需要任何机密。
I found the pod identity approach easier as you don't need to change your code.我发现 pod 身份方法更容易,因为您不需要更改代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.