Kubernetes Secrets Store CSI Provider
Secrets Store CSI Driver for Kubernetes secrets - Integrates secret stores with Kubernetes via a Container Storage Interface (CSI) volume.
The Secrets Store CSI Driver secrets-store.csi.k8s.io
allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into their pods as a volume. Once the Volume is attached, the data in it is mounted into the container's file system.
Tip
Kubernetes Secrets Store CSI Provider supports only Static Secrets.
Akeyless provider for the Secrets Store CSI driver allows you to fetch existing secrets that are stored in Akeyless and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.
Similar to Kubernetes secrets, upon pod start, the Secrets Store CSI driver communicates with the provider using gRPC to retrieve the secret content from the external Secrets Store specified in the SecretProviderClass custom resource.
Then the volume is mounted in the pod as tmpfs
and the secret value is written to the volume.
Once a pod is being deleted, the corresponding volume is cleaned up and deleted.
Prerequisites
-
Kubernetes 1.16 or higher.
-
Secrets store CSI driver installed.
-
TokenRequest enabled.
SecretProviderClass
The SecretProviderClass
is a namespaced resource in Secrets Store CSI Provider that is used to provide configurations and provider-specific parameters to the CSI provider.
Supported Authentication Methods :
SecretProviderClass
custom resource should state the akeylessAccessType
- which can be one of the supported Authentication Methods : access_key
, aws_iam
, azure_ad
, gcp
, universal_identity
.
While using azure_ad
, gcp
or universal_identity
, the following parameters should be provided accordingly:
akeylessAzureObjectID
,akeylessGCPAudience
orakeylessUIDInitToken
.
Example of a SecretProviderClass
resource:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: akeyless-test
spec:
provider: akeyless
parameters:
akeylessGatewayURL: "https://api.akeyless.io"
akeylessAccessID: "p-xxxxxxxxxxx"
akeylessAccessKey: "XXXXXXXXXXXXX"
akeylessAccessType: "access_key"
objects: |
- secretPath: "/akeyless-csi-secret/foo"
fileName: "bar"
- secretPath: "/akeyless-csi-secret/secret"
fileName: "bar1"
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: akeyless-test
spec:
provider: akeyless
parameters:
akeylessGatewayURL: "https://api.akeyless.io"
akeylessAccessID: "p-xxxxxxxxx"
akeylessAzureObjectID: "xxxxxxxxxxxxxxx"
akeylessAccessType: "azure_ad"
objects: |
- secretPath: "/akeyless-csi-secret/foo"
fileName: "bar"
- secretPath: "/akeyless-csi-secret/secret"
fileName: "bar1"
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: akeyless-test
spec:
provider: akeyless
parameters:
akeylessGatewayURL: "https://api.akeyless.io"
akeylessAccessID: "p-xxxxxxxxx"
akeylessGCPAudience: "akeyless.io"
akeylessAccessType: "gcp"
objects: |
- secretPath: "/akeyless-csi-secret/foo"
fileName: "bar"
- secretPath: "/akeyless-csi-secret/secret"
fileName: "bar1"
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: akeyless-test
spec:
provider: akeyless
parameters:
akeylessGatewayURL: "https://api.akeyless.io"
akeylessAccessID: "p-xxxxxxxxx"
akeylessUIDInitToken: "xxxxxxxxxxxxxxx"
akeylessAccessType: "universal_identity"
objects: |
- secretPath: "/akeyless-csi-secret/foo"
fileName: "bar"
- secretPath: "/akeyless-csi-secret/secret"
fileName: "bar1"
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: akeyless-test
spec:
provider: akeyless
parameters:
akeylessGatewayURL: "https://api.akeyless.io"
akeylessAccessID: "p-xxxxxxxxx"
akeylessAccessType: "aws_iam"
objects: |
- secretPath: "/akeyless-csi-secret/foo"
fileName: "bar"
- secretPath: "/akeyless-csi-secret/secret"
fileName: "bar1"
Note:
Using Access Key within YAML files is not secure. You can provide the
AKEYLESS_ACCESS_KEY
as an environment variable instead.
Reference the SecretProviderClass
inside the pod deployment volumes when using the CSI driver:
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: akeyless-example
Note:
The
SecretProviderClass
needs to be created in the same namespace as the pod.
Installation
Using helm
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm install akeyless akeyless/akeyless-csi-provider
Or via local Yaml
file which located under deployment
folder on this git
kubectl apply -f deployment/akeyless-csi-provider.yaml
Updated 5 days ago