从 POD 访问 GCP 机密管理器中的机密
[英]Access secrets in GCP secret manager from PODs
问题描述
Some secrets need to be fetched by the PODS, secrets are stored in GCP secret manager, what is the secure and efficient way to fetch the secrets within the pod ?
一些机密需要由 PODS 获取,机密存储在 GCP 机密管理器中,在 Pod 内获取机密的安全有效方法是什么?
Thank you !谢谢 !
1 个解决方案
解决方案1
1 已采纳 2021-07-13 12:16:22
There isn't a native integration between Kubernetes Secrets and Google Secret Manager. Kubernetes Secrets 和 Google Secret Manager 之间没有本地集成。 As described in the documentation , the best solution is to use the Secret Manager client library to interact with secret manager and especially to access them.如文档中所述,最好的解决方案是使用 Secret Manager 客户端库与 Secret Manager 交互,尤其是访问它们。
At the security point of view, using Workload Identity is also the best solution to use a specific service account for your deployment and then enforce the least privilege principle.从安全角度来看,使用 Workload Identity 也是为您的部署使用特定服务帐户然后执行最小权限原则的最佳解决方案。
If you don't do that, you will use, by default, the Node service account (this one on the Compute Engine) and you will have to grant this service account to access the secrets.如果您不这样做,默认情况下您将使用 Node 服务帐户(Compute Engine 上的此帐户),并且您必须授予此服务帐户访问机密的权限。 And, because it's the NODE identity, all the pods running on these nodes will have the same permissions and will be allowed to access the secrets!而且,因为它是 NODE 身份,所以在这些节点上运行的所有 pod 都将拥有相同的权限,并被允许访问机密!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.