如何使用 Spinnaker 和 Hashicorp Vault 创建 kubernetes 机密
[英]How to create a kubernetes secret using Spinnaker and Hashicorp Vault
问题描述
We have a whole bunch of secrets on our Hashicorp Vault server.
我们的 Hashicorp Vault 服务器上有一大堆秘密。 We have started testing out spinnaker for deploying on Kubernetes but I do not see any documentation around how to create a secret on kubernetes reading from Hashicorp Vault.我们已经开始测试用于在 Kubernetes 上部署的三角帆,但我没有看到任何有关如何在 kubernetes 上从 Hashicorp Vault 读取的文件。
Can someone point me in the right direction for this?有人可以为此指出正确的方向吗? Is it even advisable to create secrets using Spinnaker or should we just use it strictly for deployments?是否建议使用 Spinnaker 创建秘密,或者我们应该只将其严格用于部署?
1 个解决方案
解决方案1
3 2020-08-13 13:03:46
The problem with creating secret via spinnaker is that where do you keep the content of the secret in the first place to be able to create a secret from it.通过大三角帆创建秘密的问题在于,您首先将秘密的内容保存在哪里,以便能够从中创建秘密。 Wherever you keep it it introduces a risk of compromise.无论你把它放在哪里,它都会带来妥协的风险。 So I would suggest to create the secret dynamically at runtime using a sidecar injector.所以我建议在运行时使用边车注入器动态创建秘密。
HashiCorp Vault sidecar injector agent is a tool that can be used for this purpose. HashiCorp Vault 边车注入器代理是一种可用于此目的的工具。 The injector is a Kubernetes Mutation Webhook Controller.注入器是 Kubernetes 突变 Webhook Controller。 The controller intercepts pod events and applies mutations to the pod if annotations exist within the request.如果请求中存在注释,controller 会拦截 pod 事件并将突变应用于 pod。
Since the secret gets injected directly into the pod as VolumeMounts from the Vault Server the chance of compromise is less compared to creating a secret via Spinnaker由于秘密作为 VolumeMounts 从 Vault 服务器直接注入到 pod 中,因此与通过 Spinnaker 创建秘密相比,泄露的机会更少
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.