question

BaharulIslam-2413 avatar image
0 Votes"
BaharulIslam-2413 asked ·

Best Approach to use akv in container

Hi Experts,

Requirement is to use Azure Key-vault in container inside aks cluster. Wanted to know what is the best approach for the same. Can find tutorial as below where secret is being injected inside container using CSI driver and volume mount.

https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes

Is there any other way for handling the same? or anywhere listed for all supported ways?

Thanks!

azure-kubernetes-serviceazure-key-vault
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndriyBilous avatar image
0 Votes"
AndriyBilous answered ·

Hello @BaharulIslam-2413

Best practice guidance - Don't define credentials in your application code. Use managed identities for Azure resources to let your pod request access to other resources.
Use Use pod managed identities together with Azure Key Vault with Secrets Store CSI Driver.

However there are few ways how you can integrate Azure AKS with KeyVault.
- Using SDK https://docs.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=cmd%2Ccore2x
You should specify SecretID and SecretValue or use Managed Identity.
- You have already mentioned https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes
This is best practice as it is used managed identities together with KeyVault.
- Kubernetes also has its own secrets and they can be used in one of three ways, according to the official Kubernetes documentation:
Mounted as files in a volume on containers inside a Pod or Deployment.
Referenced as an environment variable in the Pod or Deployment specification.
Used by the Kubelet when pulling images from private registries via the imagePullSecret key in the Pod specification.
https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @AndriyBilous for comment.

I was going through https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes and also you have mentioned as best way to manage secret but will it be any security risk when we do volume mount as it will put all secret inside container. If anyone can go inside container possibilities of extracting all secret from plan from plain text files.

0 Votes 0 ·
TaB-8489 avatar image TaB-8489 BaharulIslam-2413 ·

@BaharulIslam-2413, You can check this link for details on this. It has complete procedure to enable integration.

Now comes to your other question. First thing, if someone has the capacity to open your pod then s/he has all level access to ruin it.

For eg. this link shows the procedure to call KV via rest api. In that case you have to manage client id and secret id. Here, again a question of insecurity arises. One way which can be followed is write an application or at least hardcoded values in native C library. At run time read from it. Generally it is difficult to break C libraries in comparison to other languages.

But make sure that more you expand more you'll add the responsibilities. Summarizing, nothing is secure in this world. :)


0 Votes 0 ·