Securing Secrets in AKS using Key Vault

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

everything is in place let's check I hope I don't forget to click the record button and we're aligning on my second screen here to get all the slips stellar walaikum and this video will learn how to add more security to our applications running in Azure kubernetes service aks when we use passwords or private certificates or encryption keys we typically stay those into the secret object in kubernetes but that object does not really see a secret because it's at the end it's encoded using base64 so a good solution could be either to use a private encryption key to encrypt those values and save them into the etcd and kubernetes but again this means you will need to manage that private encryption key so another solution would be to use the KMS key management system like either either keyboard or a secure vault or many other solutions those systems they have good features like key rotation so that you can update your secrets frequently and then you can also add to help features for a strong encryption let's take a look at the different components for this workshop so we'll be using Azure Active Directory pod identity this will create an identity and to assure this identity will grant access to the as rocky wall so that my kubernetes cluster can access a key vault through that identity and then we'll use a second component which is the secret store si si si si stands for container storage interface here we'll use this TSI for key vault provider this one will mount a volume and to our kubernetes cluster and enter that volume ste si actually will use the secret store object in order to get information about the keyboard that we want to access like its name the its resource group its subscription ID and tenant ID along with the list of the secrets like the passwords we want to retrieve from keyboard and then si si a provider will connect to a shore key vault will retrieve the secrets and then we'll save them locally into its disk and to a local a volume so that if my pod wants to access the secrets he will mount that volume and to that volume will be mounted to the pot so that the pot could access those resources right from that volume so we start first by setting up the environment so we need IKS to be installed and we need also to create a key vault the resource along with an identity and then we'll go to install our Active Directory pod identity and secret store CSI for key vault using hello charts and Yaman kubernetes manifest let's get started here so a bit of history about this project about this TSI provider for kubernetes at first it was called the kubernetes key vault flexball which which is now duplicated as you can see it right here and this project is now replace it by the secret store siesta driver which is like the interface in kubernetes that should be implemented by each cloud provider or each provider that wants to give access to or want to use it so you have an implementation for for that library and it's called the secret store CSI driver provider for a sure and here you have it's it's an open source project on github so you can see here more details about this for this workshop will using lots of PowerShell scripts or actually will be using AZ command line we to create resources and usher and they have here all those commands documented right here and this project so you can take a look at it and they have put all the commands actually into the commands dot ps1 file I have already downloaded that in my machine as you can see right here and yes because I also need a kubernetes cluster so I have created one and ashore and IKS and here it did already created so I'll go to that resource and here when I have so how I did create my cluster I did go to the go to resource then I have selected kubernetes service and then I have valid the information for the name the resource group for my cluster the region the version for my cluster and the number of the nodes and so on and then make sure when you create the cluster make sure on the authentication side you select here still based principle because this workshop will apply to a service principle that's what the identity is using here so let's start now by setting up the environment so here we need to connect to our kubernetes cluster so for that we need its name we need the subscription ID that we are using we need a tenant ID the location and the name of the resource group and then we'll create the key vault so for that we need a name for our keyboard instance and because we want to enter or to add the database password and database login using the command line so here I have created an aliases for those values right here and that's some other values that we'll be using later in this workshop so I'll start by running this code into the command line here I'm using PowerShell but you can this is you can also use a bash if you want to so this is now connecting to my other subscription and to in order to retrieve the subscription ID from my default account then it will give the tenant ID the location and so on and here you can see the different values that they have already specified good now let's go to get information about the AKS cluster that we have created for that around this command as AZ aka Stroh to retrieve my cluster is in its name and it's the resource group because I need here the AKS service principle later in this demo so I'm getting that into an aks value and of course because this is a new cluster so I need to connect to that cluster using the command ACA case get credentials this will down this will connect to my kubernetes cluster will get the credentials and save them and through the local cube config file then now I want to create a key world resource and usher for that I'm using this command a Z key vault create then I passed the keyboard name the research group the location and here I specify that I want to enable stop delete for retention for seven days as the retention days this will enable me to retrieve my keys or my secrets even after the key vault was deleted in the seven days period once that's done here I'll move to create or to insert the first secret and to my key vault resource here will be Khalid this secret and then the value will be this value of specified right here and as you can see then I I'll answer a second secret which will be the password for my database so first secret is actually call it the database login and second secret is call it the database password and if I move back to the azure portal right here if I go to dashboard then I moved to my resource group for energy demo online from here I can see that I have now my IKEA cluster and a key vault resource that was created and if I go right to the secret stash should see my two secrets database begin and database password that were created here then here I go to install the CSI or the Secret stores TSI driver using a helm charge for that I need to add the repository for that helm chart then I run the command helm and style with the name of that specific chart in order to add it or to install it into my kubernetes cluster here I'll go to install it into a new namespace for that I have created a new namespace called CSI driver and then I specified that namespace on the human style command after the unstirred I got to run get cube City Elliott pods in order to get the different pods right there and here I see three pods because already on my kubernetes cluster I have three nodes so that you will install a pod in each of my nodes after that I go to install the secret store CSI driver for keyboard which is the azure implementation for CSI driver this one is the one that will connect to keyboard for that I'll use this Yammer a kubernetes a manifest file which will go to install the different required pods and the different other objects and if after that if I run get pots into the CSI driver namespace I can see that here added three different pods so again a pod per node so here the key vault provider will try to connect to my keyword resource which is in Azure and the cable provider is an kubernetes oh it doesn't know about about my keyboard instance so we need to give it those different information about the subscription ID for my other subscription the resource group the name of the of the key vault itself and the different secrets to retrieve and we can do this here by specifying a class that is of type secret provider class this one will provide this different information for for that CSI provider so you see here the different parameters test to use both identity and then the name of the keyboard and and different values we want to retrieve from keyword here those values will will default to the database looking and database password and then here we'll pass the subscription ID resource group and the tenant ID we'll go to deploy that and to kubernetes cluster using cube control create - F then we pass that value into and to the command line after that we'll go to install Azure Active Directory a pod identity using a llaman manifest file and to our IKS cluster for that we are using the command you control apply - f'b and the path for that Yammer file note that here this is using the deployment dot air back dot Yammer file which is means to install put identity into a cluster that have air back enabled if by any chance and your cluster you don't have air back in a blurred there is another file just deployment document which will install it which will take into consideration that air back is not and studied in your cluster after installing that so we can see here multiple objects was created to enable pod identity and right there if I run to control gate pods I'd see the different objects that were added by pod identity like here the Mik which is the management identity controller and then the anime node manager instance which will work together in order to use the identity to get access to other other resources now we'll go to create the azure identity itself that will be used by the CSI driver and will grant access to key vault so for that I'm using the command line a Z identity create and then the resource group the name of that identity and so on I can do this also from from the the azure portal itself but here I'm again using the command line for those operations after creating the identity I leave it access or I granted access to the keyboard for that I'm using here the AZ role assignment where I'm passing the role as a reader for the identity principle ID and then the scope is the key vault dot ID so this will my identity now have the role the read access over my keyboard so it can access my keyboard and then later I'm add another Road assignment of monitored identity operator for my kubernetes cluster for that I'm passing here my aka service principle profile dot client ID after that I have added the role or a policy I have added a policy unto my identity to have permission to read these secrets from my keyboard so for that here I'm using this secret permissions yet so my keyboard defines multiple policies like get a delete update and so on and here my identity will have now can access the keyboard and can also read the secrets so this is a specific to only the secrets if you want to access the keys or the certificates there is you can specify the - - secret - stratification certificates or - keys so now from the azure portal if I go to the other portal to the resource group if I go to refresh here I should see that now I have an a third resource which is the identity if I go to that identity and then I go to other resources I should see that here we will populate that now it have an identity to connect to the key vault and I if I go back to my key vault right here I should see that it have a policy so if I go to access policies now I should see it's not only mine but if I go to refresh I should see now the policy that is coming from my identity which have the secret permissions to do the gate operations not here the other operations that we can we can ask for so now we have the identity and we want to use that identity from our kubernetes cluster but kubernetes doesn't know about that identity so here we'll be using the Azure identity and other identity binding in order to get a reference to that identity and then resources from within my cluster can use the those bindings in order to bind to the identity itself so here I go to create two kubernetes objects first one is the azure identity which will have a name and will bind to a resource ID and the client ID which is here the identity itself so this is a reference to the identity it's there and then if I want to use that identity I should pass through the azure identity binding object this one will have a reference to the identity that I have already created right here so not I'm using the same name for the azure identity here and the name of my other identity and then I use a selector the selector will allow my other my other resources and kubernetes to use this identity using only by using this selector so note this selector will is already use it to access to the identity editor I have deployed that class so that will create the two objects right here so now we have almost everything in place so we have our Active Directory pod identity and started the CSI provider for a key vault is install it and keyboard instance have the secrets there and the identity is configured to connect to my key vault so here I go to deploy energy next pod that will use the label or the selector say ID thought ID ID binding so not here the selector that I have mentioned earlier and then and to that pot I go to amount of volume so that volume that I'll be mounting is using the CSI the container storage and and it uses the secrets store driver and in that volume will use the secret provider class to retrieve the to retrieve the keyboard that I want to connect to and using that provider class to retrieve the different passwords that this pod asks for so this means now that my engine next would have this have this SCSI volume mounted to that word and it have the passwords their stories run Coop's DL get pods and here we can see our nginx pod is already running here so now I'll go to run some commands in order to access first command right here we list the different passwords and that secret store volume so here we find two plus two values for database login and database password we'll go to read using cat we read the database login and here the login will be displayed right here and then if we try to read the database password as we have done here so that will give us access to the database password so now this pod could have access to the keyboard not directly no direct access through using the password for that keyboard but through using pod identity and the CSI provider for keyboard in order to use the identity and a data provider to get access or to gain access to the key vault and then retrieve those secrets so the secrets now will be will be saved or are already saved and to this CSI volume I leave you with some good resources that you can follow in order to get more details about this CSI project or the CSI provider for keyboard so here if you go to projects you will see the they're rude map explain it right here so you can see the upcoming features and the new feature that will be release it zone and I don't want also to miss the opportunity to invite you to check out my youtube channel where I have added videos about anything that is containers kubernetes DevOps and usher I hope you will like it and see you in my next videos

Info

Channel: Houssem Dellai

Views: 9,835

Rating: 4.8823528 out of 5

Keywords: kubernetes, azure, aks, k8s, docker, container, secret, security, Azure AD, Pod Identity, Identity, Azure Identity, CSI, Secure Store CSI, Azure Key Vault, Key Vault, KMS, Azure, Secure Storage CSI provider for Key Vault

Id: dAFWrbeA6vQ

Channel Id: undefined

Length: 20min 46sec (1246 seconds)

Published: Sat May 02 2020