hashicorp.com: Vault & Kubernetes: Better Together
Using Static secrets
(can apply TTL)
Using Dynamic secrets
(Secrets are also easy to rotate and revoke; if an employee leaves your organization, you can easily and securely revoke their access.)
Using transit encryption in Kubernetes
(Vault provides “encryption as a service,” encrypting data in transit (with TLS) and at rest (using AES 256-bit CBC encryption).)
Key k8s components
MutatingAdmissionWebhook
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
Service Account
A service account provides an identity for processes that run in a Pod.
Configure Service Accounts for Pods
How it works
The Service Account assigns an identity to a pod, which is used to grant access to secrets in Vault whereas the webhook is used to inject an init container into a Pod that mounts the Secret from Vault to a temporary volume.
Example:
Application Pod
Init Containers:
vault-agent-init:
Container ID: docker://eb9a90c1b4105102e6180bd622e954e90fc34259da37b167c9e1ea5718152db1
Image: vault:1.7.0
Image ID: docker-pullable://vault@sha256:635cf1c3f9b10fe03aad375f94cc61f63d74a189662165285a8bf1c189ea04b8
Port: <none>
Host Port: <none>
Containers:
orgchart:
Container ID: docker://425f5a5b26921ee6873233b714156201754489e1edf0b59f62bc9b928599c887
Image: jweissig/app:0.0.1
Image ID: docker-pullable://jweissig/app@sha256:54e7159831602dd8ffd8b81e1d4534c664a73e88f3f340df9c637fc16a5cf0b7
vault-agent:
Container ID: docker://4ddb15c3cdaa9c215031197dfdd62e43a842b92559e1d9a0596b184a21f144c7
Image: vault:1.7.0
Image ID: docker-pullable://vault@sha256:635cf1c3f9b10fe03aad375f94cc61f63d74a189662165285a8bf1c189ea04b8
Vault
Containers:
vault:
Container ID: docker://7194b9fd5e0c071ad4dfe12b4fd622c64bef8c324b70ed503224fc3807cb2ab4
Image: vault:1.7.0
Image ID: docker-pullable://vault@sha256:635cf1c3f9b10fe03aad375f94cc61f63d74a189662165285a8bf1c189ea04b8
Ports: 8200/TCP, 8201/TCP, 8202/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Vault-agent-injector
Containers:
sidecar-injector:
Container ID: docker://a53b4895a6479c16c5b3e9248c15fa85388f1ea3167a36dff81d4b75d954ff05
Image: hashicorp/vault-k8s:0.9.0
Image ID: docker-pullable://hashicorp/vault-k8s@sha256:65731b0513c95f683ee52528e6ccf24f6de0092700e869cdc5ff5d8354b5d86e
Environment:
AGENT_INJECT_LISTEN: :8080
AGENT_INJECT_LOG_LEVEL: info
AGENT_INJECT_VAULT_ADDR: http://vault.default.svc:8200
AGENT_INJECT_VAULT_AUTH_PATH: auth/kubernetes
AGENT_INJECT_VAULT_IMAGE: vault:1.7.0
AGENT_INJECT_TLS_AUTO: vault-agent-injector-cfg
AGENT_INJECT_TLS_AUTO_HOSTS: vault-agent-injector-svc,vault-agent-injector-svc.default,vault-agent-injector-svc.default.svc
AGENT_INJECT_LOG_FORMAT: standard
AGENT_INJECT_REVOKE_ON_SHUTDOWN: false
Agent Inject: Agent Inject is a mutation webhook controller that injects Vault Agent containers into pods meeting specific annotation criteria. (Requires Vault 1.3.1+)
Demo Steps
Clone github repo
Install Vault & Vault-Agent-Injector
Enable Key-Value Secret Engine
Create a secret at path internal/database/config with a username and password
Enable the Kubernetes authentication method
Enables clients to authenticate with a Kubernetes Service Account Token.
Configure the Kubernetes authentication method to use the service account token, the location of the Kubernetes host, and its certificate.
Grant read capability to read from path: internal/data/database/config
Create a Kubernetes authentication role named internal-app
Define a Kubernetes service account
Create a service account named internal-app .
Launch an application
Inject secrets into the pod
Display the secret written to the orgchart container.
Pod with annotations
References:
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Secrets into Kubernetes Pods via Vault Agent Containers | Vault
Static Secrets: Key/Value Secrets Engine | Vault
Configure Service Accounts for Pods
Transform Secrets Engine | Vault
The Kubernetes API call is coming from inside the cluster!
HashiCorp EKS Vault on AWS - Quick Start
End-to-End Automation for Vault on Kubernetes Using the Operator Pattern