Best Approach to use akv in container

Question

Hi Experts,

Requirement is to use Azure Key-vault in container inside aks cluster. Wanted to know what is the best approach for the same. Can find tutorial as below where secret is being injected inside container using CSI driver and volume mount.

https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes

Is there any other way for handling the same? or anywhere listed for all supported ways?

Thanks!

Answer 1

Hello @Baharul Islam

Best practice guidance - Don't define credentials in your application code. Use managed identities for Azure resources to let your pod request access to other resources.
Use Use pod managed identities together with Azure Key Vault with Secrets Store CSI Driver.

However there are few ways how you can integrate Azure AKS with KeyVault.

• Using SDK https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=cmd%2Ccore2x
  You should specify SecretID and SecretValue or use Managed Identity.
• You have already mentioned https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes
  This is best practice as it is used managed identities together with KeyVault.
• Kubernetes also has its own secrets and they can be used in one of three ways, according to the official Kubernetes documentation:
  Mounted as files in a volume on containers inside a Pod or Deployment.
  Referenced as an environment variable in the Pod or Deployment specification.
  Used by the Kubelet when pulling images from private registries via the imagePullSecret key in the Pod specification.
  https://learn.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security