Inject vault secret into K8s configmap - kubernetes

I have deployed vault in K8s . I would like to know how to inject the vault secret in the configmap of a application which has all the configuration of the application.

It's not possible you can not mount the vault secret into config map. But you can parallelly inject both configmap and vault secret to single deployment.
If you are mounting configmap as the file you can mount vault secret as file into same directory or another directory.
If injecting configmap as an environment variable you can also do the same with vault secret.
If you are injecting the configmap as environment variable i would suggest checking out the : https://github.com/DaspawnW/vault-crd
vault-crd sync the vault secret to Kubernetes secret and you can easily inject Kubernetes secret to deployment. Although it's not good considering the security perspective.
There are many different method you can inject vault secret into deployment.

Related

Azure AKS: how to avoid resource creation in "default" namespace during cluster creation

I am trying to create a K8s cluster in Azure AKS and when cluster is ready I can see couple of resources are created within the default namespace. Example secret, configmap:
As a security recommendation NO k8s resources should be created under the default namespace so how to avoid it? It's created by default during cluster creation.
I have found the same question asked here:
User srbose-msft (Microsoft employee) explained the principle of operation very well:
In Kubernetes, a ServiceAccount controller manages the ServiceAccounts inside namespaces, and ensures a ServiceAccount named "default" exists in every active namespace. [Reference]
TokenController runs as part of kube-controller-manager. It acts asynchronously. It watches ServiceAccount creation and creates a corresponding ServiceAccount token Secret to allow API access. [Reference] Thus, the secret for the default ServiceAccount token is also created.
Trusting the custom CA from an application running as a pod usually requires some extra application configuration. You will need to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts. For example, you would do this with a golang TLS config by parsing the certificate chain and adding the parsed certificates to the RootCAs field in the tls.Config struct.
You can distribute the CA certificate as a ConfigMap that your pods have access to use. [Reference] AKS implements this in all active namespaces through ConfigMaps named kube-root-ca.crt in these namespaces.
You shall also find a Service named kubernetes in the default namespace. It has a ServiceType of ClusterIP and exposes the API Server Endpoint also named kubernetes internally to the cluster in the default namespace.
All the resources mentioned above will be created by design at the time of cluster creation and their creation cannot be prevented. If you try to remove these resources manually, they will be recreated to ensure desired goal state by the kube-controller-manager.
Additionally:
The Kubernetes clusters should not use the default namespace Policy is still in Preview. Currently the schema does not explicitly allow for Kubernetes resources in the default namespace to be excluded during policy evaluation. However, at the time of writing, the schema allows for labelSelector.matchExpressions[].operator which can be set to NotIn with appropriate labelSelector.matchExpressions[].values for the Service default/kubernetes with label:
component=apiserver
The default ServiceAccount, the default ServiceAccount token Secret and the RootCA ConfigMap themselves are not created with any labels and hence cannot to added to this list. If this is impeding your use-case I would urge you to share your feedback at https://techcommunity.microsoft.com/t5/azure/ct-p/Azure

Are ConfigMaps and Secrets managed at node level?

I want to know if different nodes can share Secrets and ConfigMaps. Went through the Kubernetes documentation at https://kubernetes.io/docs/concepts/configuration/secret/ but could not find exact information.
All Kubernetes resources are stored centrally in the etcd database and access through the Kubernetes API server. When using Config Maps or Secrets, the data inside them are directly embedded into the resource it self (i.e. unlike ParsistentVolume for example, they do not just reference to the data stored somewhere else). This is also the reason why the size of ConfigMap or Secret is limited.
As such they can be used on all Kubernetes nodes. When you have a Pod which is using them, the ConfigMaps or Secrets will be mapped to the node where the Pod is scheduled. So the files from the ConfigMap or Secret might exist on given node, but that will be just copies of the original ConfigMap or Secret stored centrally in the etcd database.

Kubernetes secret programmatically update

Is there a way to programmatically update a kubernetes secret from a pod? that is, not using kubectl.
I have a secret mounted on a pod and also exposed via an environment variable. I would like to modify it from my service but it looks that it's read only by default.
You can use the Kubernetes REST API with the pod's serviceaccount's token as credentials (found at /var/run/secrets/kubernetes.io/serviceaccount/token inside the pod), you just need to allow the service account to edit secrets in the namespace via a role.
See Secret for the API docs
The API server is internally reachable via https://kubernetes.default

Can we use vault with kubernetes without sidecar or init container?

Our current model is to use init containers to fetch secrets from vault. But When the application crashes due to OOM issues, the pod goes into crashloopback state. Also, we don't want to overload the pod with a sidecar container. Is there any other way to use vault with kubernetes?
Yes, you can use Vault without using the side-car container.
You can create a path into the vault and save the key-value pair inside it.
As per requirement use the KV1 and KV2
To sync vault values with Kubernetes secret you can use :
https://github.com/DaspawnW/vault-crd
Vault CRD is the custom resource that will sync your vault variables to Kubernetes secret on the specific intervals you define.
Each time new value updated in vault that will sync back to secret and you can inject that secret into deployment or statefulset as per need

How to inject secrets from vault to Kubernetes pods

All,
I have all my secrets stored in vault. How can I fetch secrets from vault and inject them in pods.
Do I have to use a sidecard for it or there is some easiest way also .
There is one great project on Github Vault-CRD in java: https://github.com/DaspawnW/vault-crd
Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod.
The sidecar pattern is common with Kubernetes applications and can be applied to access secrets from Vault.
There is a great step by step walk through on hands-on-with-vault-on-kubernetes on git hub. This will answer all your basic questions on how to do this with example.
One more for your reference Injecting Vault Secrets Into Kubernetes Pods via a Sidecar