HashiCorp Vault is a third-party secrets management solution that integrates with Kubernetes and Anthos clusters on AWS.
You can deploy Vault on Anthos clusters on AWS using:
You can access Vault secrets inside pods using the Agent Sidecar injector. The injector is a Kubernetes Mutating Webhook Controller. The controller intercepts Pod events and updates the Pod's configuration.
The Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the Vault Kubernetes Auth method. The KSA account must be bound to a Vault role with a policy granting access to the secrets.
Once configured, you can request secrets by annotating a Pod.
The following snippet includes annotations that you would add to a Pod.
myapp role has access to Secret
mounts it at
spec: template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-secret-apple: "secrets/banana" vault.hashicorp.com/role: "myapp"
You can apply this configuration:
- To a Pod with
kubectl edit pod/pod-name.
- To a Deployment with
kubectl edit deployment/deployment-name.