How to manage Kubernetes secrets? - kubernetes

Can anyone suggest me How I manage my Kubernetes secrets? till now I used to use kubectl or Helm to apply secrets from my local system but this is not the right way to do I guess. I also refer few docs about managing Kubernetes secrets, from that some are mention below,
I find hashicorp vault which is also used to manage secrets https://www.vaultproject.io/use-cases/kubernetes
Aws secret https://aws.amazon.com/secrets-manager/
but still, I m looking for the other available option to manage secrets. Please suggest me the best and most secure way to store and manage secrets in Kubernetes. for your kind information I m using AWS EKS cluster so please help me out

Related

Can we configure AWS Secrets Manager to integrate with an on-premises k8s cluster

I setup a EKS cluster and integrated AWS Secrets Manager in it following the steps mentioned in https://github.com/aws/secrets-store-csi-driver-provider-aws and it worked as expected.
Now we have a requirement to integrate the AWS Secrets Manager on an on-premises k8s cluster and I am unable to follow the same steps as they seem to be explicitly for AWS EKS based clusters.
I googled around a bit and found you can call the Secrets Manager programmatically using one of the ways in https://docs.aws.amazon.com/secretsmanager/latest/userguide/asm_access.html, but this approach wont work for us.
Is there a k8s way to directly connect to AWS secrets Manager without setting up AWS-CLI and the OIDC cluster ID on the on-premises cluster?
Any help would be highly appreciated.
You can setup external OIDC providers with AWS and also setup K8s to with OIDC, but that is a lot of work.
AWS recently announced IAM Roles Anywhere which will let you use host based certificates to authenticate, but you will still have to call the Secrets Manager APIs.
If you are willing to retrieve secrets through etcd (which may store the secrets base64 encoded on the cluster) you can look at using the opensource External Secrets solution.

How to setup GKE Cluster and GKE pods has to communicate with cloud sql and cloud sql password stored on google cloud secret manager

I am trying to setup google kubernetes engine and its pods has to communicate with cloud sql database. The cloud sql database credentials are stored on google cloud secret manger. How pods will fetch credentials from secret manager and if secret manager credentials are updated than how pod will get update the new secret?
How to setup above requirement? Can you someone please help on the same?
Thanks,
Anand
You can make your deployed application get the secret (password) programmatically, from Google Cloud Secret Manager. You can find and example in many languages in the following link: https://cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version
But before make sure that your GKE setup, more specifically your application is able to authenticate to Google Cloud Secret Manager. The following links can help you to choose the appropriate approche:
https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
You can find information regarding that particular solution in this doc.
There are also good examples on medium here and here.
To answer your question regarding updating the secrets:
Usually secrets are pulled when the container is being created, but if you expect the credentials to change often (or for the pods to stick around for very long) you can adjust the code to update the secrets on every execution.

Vault deployment in alive cluster using terraform

I want to deploy vault with a cluster which contains microservices and my vault shouldn't have an external access, and everything should be done using terraform. Does anyone know how to do it?
Please read the Terraform Getting started on how to create Terraform code.
You will need to use the Google Provider to deploy your resources. On that page you can view resources like kubernetes, vault and lots of others.

How to create a kubernetes secret using Spinnaker and Hashicorp Vault

We have a whole bunch of secrets on our Hashicorp Vault server. We have started testing out spinnaker for deploying on Kubernetes but I do not see any documentation around how to create a secret on kubernetes reading from Hashicorp Vault.
Can someone point me in the right direction for this? Is it even advisable to create secrets using Spinnaker or should we just use it strictly for deployments?
The problem with creating secret via spinnaker is that where do you keep the content of the secret in the first place to be able to create a secret from it. Wherever you keep it it introduces a risk of compromise. So I would suggest to create the secret dynamically at runtime using a sidecar injector.
HashiCorp Vault sidecar injector agent is a tool that can be used for this purpose. The injector is a Kubernetes Mutation Webhook Controller. The controller intercepts pod events and applies mutations to the pod if annotations exist within the request.
Since the secret gets injected directly into the pod as VolumeMounts from the Vault Server the chance of compromise is less compared to creating a secret via Spinnaker

How are Kuberenetes secrets stored on Amazon EKS

I set up a managed Kubernetes cluster via Amazon EKS. Now I’m wondering whether Kubernetes Secrets are stored securely (at rest and transit) by default or if there is additional configuration necessary.
The relevant Kubernetes docs are not really helpful in this constellation l, all they say is that secret encryption depends on the cloud provider.
Any help, links or samples are greatly appreciated!
It appears the answer is yes, they are encrypted at rest, but this is hearsay. There's an open github issue on this topic, and nobody else can find definitive docs stating this, either.