Protect Your Kubernetes Secrets: Securing with Azure Key Vault

Подписаться 1,1 тыс.

Просмотров 15 тыс.

50% 1

In this video, we take a look at the Azure Key Vault Provider for Secrets Store CSI Driver. This provider allows you to mount secrets from Azure Key Vault directly to your pods, eliminating the need to manage those secrets in your YAML files or in your deployment pipelines.
Here is a link for the provider documentation: azure.github.io/secrets-store...
GitHub Repo: github.com/helshabini/kuberne...
0:00 Intro
0:44 Problem statement
8:32 Deployment and usage of Azure KeyVault Provider

Опубликовано:

2 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 42

@SomeInfoSecDude 2 года назад

Finally the problem is clearly explained. This is what the others videos just skip through, expecting everyone to be a developer with experience on al this. Great video.

@mgpollachi1 2 года назад

Thank you... you saved me from 2 days of frustration on this exact same problem..

@rin22john 3 года назад

Very nice video. Thank you for sharing it with us.

@krishnadaskp21 2 года назад

Excellent video. Cleared the concept for me

@number-27 2 года назад

Exactly the crash course I was looking for!

@cartierin 3 года назад

Great video!! I would love to see another video with Nginx ingress and tls with key vault

@HelpingHands3838 2 года назад

Simply greate ... Good job

@mehmetcolgecen9533 Год назад

it is a good one, really enjoyed the explanations, keep going!!!

@faisalabdi6350 Год назад

جزاك الله خيرا يا اخي الكريم. لا توقف علشان نستفيد من خبرتك.

@karthikvijay4824 3 года назад

Very well made video, thanks.

@ZoomSpeaksTech 3 года назад

Glad you liked it. More coming up soon.

@VCSekharParepalli Год назад

Awesome wording, scripts, content and pace.

@ZoomSpeaksTech Год назад

Much appreciated!

@kalirajannatarajan1114 2 года назад

Good Video. Thanks

@ZoomSpeaksTech 2 года назад

Glad it helped

@GodisGreater01 2 года назад

So I worked on this for a very long time and figured out if you just check the section under advanced - Enable secret store CSI driver. You can do this when creating the Kubernetes service or after under the cluster configuration tab. I do not get an error when trying to connect to the secret when mounting the volume.

@helshabini 2 года назад

Thank you Chris, at the time of recording the video this was not available I think. Thank you so much for sharing your finding.

@rengaprakashsoundararajan9001 2 года назад

thanks a lot

@nikhilsinghal1315 3 года назад

Nice video! This video actually explains why and what we are doing instead of just random instructions like other videos. BTW, We are still saving the service principle client id and password in Kubernetes secret which defeats the purpose of this complete video. Can we do this with managed identities?

@ZoomSpeaksTech 3 года назад

Hi Nikhil, yes for sure Managed Identities is the best alternative. This guide goes through the process for using User Assigned Managed Identities, which I think is a better way than using the System Assigned one: docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes#create-your-own-secretproviderclass-object

@ahmedtheba3808 2 года назад

In all of the various options we still end up with a credential on disk/mount in clear or Base 64 encoded form. There is no protection of the secret if the container is breached. All that we have done is cleaned up the code and pipelines from being littered with secrets.

@ZoomSpeaksTech 2 года назад

That’s true. And there is no way around it except if you take the time/effort to write code in your application to try and grab its own secrets from Key Vault using its managed identity.

@kadabaraghu 2 года назад

i am using the serviceproviderclass as per the directions , its creating the secertproviderclass but its not creating the secret , when i query for kubectl get secrets i dont dind them there , could you please let me know what could be wrong or is there any additional step i need to follow , int his example you create the secrets in prior should we do the same ???

@ZoomSpeaksTech 2 года назад

No, the secret should be created for you. If it is not then there is probably a permission issue somewhere. Check the logs of the secrets provider containers and it might point you somewhere.

@skannan74 2 года назад

Thanks for the video. When i run the yaml, i can see the mnt created but fails to create secret. Here is the error i get "Warning Failed 8s (x3 over 20s) kubelet Error: secret "nginx-secret" not found".

@ZoomSpeaksTech 2 года назад

That just means the secret was not created by driver. Make sure you’ve specified the correct settings/permissions in the driver YAML.

@skannan74 2 года назад

@@ZoomSpeaksTech i followed the examples provided in this video and did exactly same. Can you please throw some light on what are the things i need to check for "correct settings/permissions"..? And thanks for your very fast response.

@ZoomSpeaksTech 2 года назад

@@skannan74 i would look at the SecretProviderClass configuration and make sure that the key vault secret I am trying to read actually exists and that the csi driver has the necessary account to do so: docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#sync-mounted-content-with-a-kubernetes-secret I would also double check that entire document I sent. My video is now a little dated, and it might be useful to use this doc as an updated reference.

@sharatbhaskar527 3 года назад

when i run this command export SERVICE_PRINCIPAL_CLIENT_ID="$(az ad sp show --id secrets-store-test --query 'appId' -otsv)" it says service principal does not exist. please suggest

@ZoomSpeaksTech 3 года назад

Hi Sharat, this is probably because of a typo in your command. There should be a space between -o and tsv param. Make sure that if you run the az ad sp command that it does produce the proper expected output.

@alisyed9240 2 года назад

If the secret volumes are still mounted inside the container. Does it mean that password would still be in clear text and we can simply read the password file?

@ZoomSpeaksTech 2 года назад

Yes indeed, if you want an additional layer of security then you can encrypt it and decrypt it using your app.

@alisyed9240 2 года назад

@@ZoomSpeaksTech would other solutions like hashicorp vault do the same thing like mount secret volumes with password in plain text or they will at least automatically encrypt it?

@ZoomSpeaksTech 2 года назад

They work exactly the same. If this bothers you, the other option is to write code to extract secrets from a secure vault like Azure Key Vault in your app.

@yasirm 2 года назад

Can you share your repo?

@ZoomSpeaksTech 2 года назад

Sure, here you go: github.com/helshabini/kubernetes-akv

@yasirm 2 года назад

@@ZoomSpeaksTech Thank you

@ramallways6321 Год назад

Then its created an secrets in k8s cluster, then it's mean there is no encrypt here, because k8s secret just encode and decode using base64. Now there is no point to use this one, I'm guess.

@mkeii Год назад

gosh kubernetes can be so verbose sometimes. this is neat, but everytime i have a new secret, i have to update: 1. the deployment, 2. the secretproviderclass parameters.objects, 3. the secretproviderclass secretobjects 😓

@ZoomSpeaksTech Год назад

I agree. You can automate everything, but at some point it would be overkill to build something that serves no specific function other than to overcome verbosity. Which is why sometimes I prefer my apps to grab their own secrets whenever possible and absolve kubernetes of having to manage that. Keyvault integration can be easily done on most languages from the app code itself. The app merely needs a managed identity to be able to grab it.