To preface, I am new to leveraging Kubernetes in Azure, so I might get some terms wrong. Sorry in advance.
I have been attempting to find a way to create Kubernetes secret objects that are populated with values from Azure key vault (AKV) in Azure Kubernetes services (AKS). The goal is to be able to create an imagePullSecret using values populated from AKV to allow my cluster to pull secrets from an Azure container registry (ACR). I have tested this out with manual creation and got it working, but am open to other solutions to integrating AKS and ACR.
I have found several articles pointing out that I can manage secrets from AKV by using the API
or if you are setting up your cluster in terraform like I do then set up the key_vault_secrets_provider
section in the resource.
Read the instructions in the link above on how to set up secret pulling from AKV. you will need to mount a volume to your pods to create them. If you haven't done that before it's pretty easy to get the hang of. Once you do, every time you deploy a pod, a kubernetes secret will be created with the value of the secret pulled from AKV.
When you need to assign the image pull secret - you use the secret you created via the mounted volume
your deployment yaml may look something like this..
apiVersion: apps/v1
kind: Deployment
metadata:
name: <your deployment name>
namespace: <namespace name>
<more meta data stuff here>
spec:
<some deployment spec stuff here>
template:
metadata:
<some common metadata for your pods in this deployment>
spec:
imagePullSecrets:
- name: <your secret name that holds the value from AKV here>
containers:
- name: <your container name>
image: <ACR_registry_name_here.repo_name:version>
volumeMounts:
- mountPath: /mnt/<image-pull-secret-mount-for-csi here>
name: <whatever name you want>
readOnly: true
<some other container stuff here>
volumes:
- name: <whatever name you want - must be same as above volume mount>
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: <the name of your secretProviderClass resource - see below>
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: <your secretProviderClass name>
namespace: <namespace name>
spec:
parameters:
keyvaultName: <the name of your Azure Key Vault>
objects: <read instructions in the link on how to create these>
resourceGroup: <the azure resource group name of your key vault>
subscriptionId: <your Azure Subscription GUID>
tenantId: <your Azure tenant GUID>
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: <the managed identity id for your core cluster virtual machines - look in the resource group that is automatically created for your cluster VMs when you create your cluster>
provider: azure
secretObjects:
- <this depends upon the secret type you want - again - read instructions in the link I provided>
there are other resources out there i found that this guy's videos are helpful https://www.youtube.com/watch?v=S2wzCD5L9Mo&ab_channel=HoussemDellai
good luck - I hope this helps
CodePudding user response:
No, the secret CSI always need a pod to create Kubernetes secrets.
Yes, you can easily attach your ACR to your AKS leverage the Kubelet identity to pull images from your ACR. You just need to export the Identity and add a Role Assignment on your ACR (for an existing ACR and AKS):
export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID
For a new AKS simply run :
MYACR=myContainerRegistry
az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr $MYACR
This can be also done with IaC like Bicep or Terraform (just create the Role Assignment on the Kubelet Identity)
Here you can also find the documentation.