Our current model is to use init containers to fetch secrets from vault. But When the application crashes due to OOM issues, the pod goes into crashloopback state. Also, we don't want to overload the pod with a sidecar container. Is there any other way to use vault with kubernetes?
Yes, you can use Vault without using the side-car container.
You can create a path into the vault and save the key-value pair inside it.
As per requirement use the KV1 and KV2
To sync vault values with Kubernetes secret you can use :
https://github.com/DaspawnW/vault-crd
Vault CRD is the custom resource that will sync your vault variables to Kubernetes secret on the specific intervals you define.
Each time new value updated in vault that will sync back to secret and you can inject that secret into deployment or statefulset as per need
Related
I have deployed vault in K8s . I would like to know how to inject the vault secret in the configmap of a application which has all the configuration of the application.
It's not possible you can not mount the vault secret into config map. But you can parallelly inject both configmap and vault secret to single deployment.
If you are mounting configmap as the file you can mount vault secret as file into same directory or another directory.
If injecting configmap as an environment variable you can also do the same with vault secret.
If you are injecting the configmap as environment variable i would suggest checking out the : https://github.com/DaspawnW/vault-crd
vault-crd sync the vault secret to Kubernetes secret and you can easily inject Kubernetes secret to deployment. Although it's not good considering the security perspective.
There are many different method you can inject vault secret into deployment.
I have several pods which belong to the same service. I need to share a value between all pods in this service.
Per my understanding, the shared volume won't work well, because pods may end up being on different nodes.
Having any kind of database (even most lightweight) exposed as a service to share this value would be overkill (however, probably it's my backup plan).
I was wondering whether there is some k8s native way to share the value.
Put the values in a ConfigMap and mount it in the Pods. You can include the values of the ConfigMap in the containers of a Pod either as a volume or as environment variables.
See Configure a Pod to Use a ConfigMap in the Kubernetes documentation.
If the Pods need to update the shared values they can write to the ConfigMap (requires Kubernetes API permissions). However, in this case the ConfigMap must be included as a volume, since environment variable values from a ConfigMap are not updated when the ConfigMap changes.
I want to know if different nodes can share Secrets and ConfigMaps. Went through the Kubernetes documentation at https://kubernetes.io/docs/concepts/configuration/secret/ but could not find exact information.
All Kubernetes resources are stored centrally in the etcd database and access through the Kubernetes API server. When using Config Maps or Secrets, the data inside them are directly embedded into the resource it self (i.e. unlike ParsistentVolume for example, they do not just reference to the data stored somewhere else). This is also the reason why the size of ConfigMap or Secret is limited.
As such they can be used on all Kubernetes nodes. When you have a Pod which is using them, the ConfigMaps or Secrets will be mapped to the node where the Pod is scheduled. So the files from the ConfigMap or Secret might exist on given node, but that will be just copies of the original ConfigMap or Secret stored centrally in the etcd database.
Is there a way to programmatically update a kubernetes secret from a pod? that is, not using kubectl.
I have a secret mounted on a pod and also exposed via an environment variable. I would like to modify it from my service but it looks that it's read only by default.
You can use the Kubernetes REST API with the pod's serviceaccount's token as credentials (found at /var/run/secrets/kubernetes.io/serviceaccount/token inside the pod), you just need to allow the service account to edit secrets in the namespace via a role.
See Secret for the API docs
The API server is internally reachable via https://kubernetes.default
All,
I have all my secrets stored in vault. How can I fetch secrets from vault and inject them in pods.
Do I have to use a sidecard for it or there is some easiest way also .
There is one great project on Github Vault-CRD in java: https://github.com/DaspawnW/vault-crd
Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod.
The sidecar pattern is common with Kubernetes applications and can be applied to access secrets from Vault.
There is a great step by step walk through on hands-on-with-vault-on-kubernetes on git hub. This will answer all your basic questions on how to do this with example.
One more for your reference Injecting Vault Secrets Into Kubernetes Pods via a Sidecar