如何从部署在 Azure Kubernetes 服务 (AKS) 中作为 pod 的 Asp.net Core Docker 容器访问 Azure KeyVault?
[英]How to access Azure KeyVault from Asp.net Core Docker container deployed in Azure Kubernetes Service (AKS) as pod?
问题描述
I have an Asp.Net Core application that is configured to connect to Azure KeyVault using Visual Studio 2019 Connected Services:
我有一个配置为使用 Visual Studio 2019 连接服务连接到 Azure KeyVault 的 Asp.Net Core 应用程序:
https://docs.microsoft.com/en-us/azure/key-vault/general/vs-key-vault-add-connected-service https://docs.microsoft.com/en-us/azure/key-vault/general/vs-key-vault-add-connected-service
I containerized the application with Docker and deployed it into Kubernetes as a Pod.我使用 Docker 将应用程序容器化,并将其作为 Pod 部署到 Kubernetes 中。 The KeyVault connection is not working, probably because of the Managed Identity not set-up. KeyVault 连接不起作用,可能是因为未设置托管标识。
I tried:我试过:
- Added the Kubernetes agent Managed Identity to the KeyVault Acccess policies like I would do with App Services or Container Services, but does not allow the connection.将 Kubernetes 代理托管标识添加到 KeyVault 访问策略,就像我对应用服务或容器服务所做的那样,但不允许连接。
- Followed the docs here: https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes遵循此处的文档: https : //docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes
I wonder if the "Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes" is the right way to use KeyVault from a pod, or if there is a simpler solution like a direct connection.我想知道“Kubernetes 上 Secrets Store CSI 驱动程序的 Azure Key Vault 提供程序”是否是从 pod 使用 KeyVault 的正确方法,或者是否有更简单的解决方案,例如直接连接。
2 个解决方案
解决方案1
1 已采纳 2020-10-02 17:17:28
The solution, for whoever is in my situation, is to use AAD-Pod Identity对于处于我这种情况的人,解决方案是使用AAD-Pod Identity
There is no need to attach a CSI Driver unless you need the Secrets in the Kubernetes configuration, want total control on custom configurations, or have the cluster outside Azure.不需要附加 CSI 驱动程序,除非您需要 Kubernetes 配置中的 Secrets,想要完全控制自定义配置,或者在 Azure 之外拥有集群。
For Asp.Net Core applications deployed to AKS, the easiest way is to use Managed Identities, and to provide that to your Kubernetes Cluster you need AAD-Pod identity.对于部署到 AKS 的 Asp.Net Core 应用程序,最简单的方法是使用托管身份,并将其提供给您的 Kubernetes 集群,您需要 AAD-Pod 身份。
There is not a documentation page yet, but following the Get Started instructions on GitHub is enough to get it going.目前还没有文档页面,但是按照 GitHub 上的入门说明进行操作就足够了。
解决方案2
0 2021-03-01 22:21:28
I managed to get a secret from the Azure key vault in my pod, using Managed Identity.我设法使用托管标识从我的 pod 中的 Azure 密钥保管库中获取了一个秘密。 Just add the .identityProfile.kubeletidentity.clientId of the AKS cluster as a Key Vault policy to read the secrets.只需添加 AKS 集群的 .identityProfile.kubeletidentity.clientId 作为 Key Vault 策略即可读取机密。 You must set this policy through the Azure Portal, because the "az keyvault set-policy" expects the --object-id to be a principalId i guess...您必须通过 Azure 门户设置此策略,因为“az keyvault set-policy”期望 --object-id 是 principalId 我猜...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.