HashiCorp Vault is a third-party secrets management solution that integrates with Kubernetes and GKE on AWS.
You can deploy Vault on GKE on AWS using:
- HashiCorp's official Helm chart
- Vault on GKE, which is installed with Terraform.
You can access Vault secrets inside pods using the Agent Sidecar injector. The injector is a Kubernetes Mutating Webhook Controller. The controller intercepts Pod events and updates the Pod's configuration.
The Vault Agent Injector uses a Pod's Kubernetes Service Account (KSA) with the Vault Kubernetes Auth method. The KSA account must be bound to a Vault role with a policy granting access to the secrets.
Once configured, you can request secrets by annotating a Pod.
The following snippet includes annotations that you would add to a Pod.
If the myapp
role has access to Secret secret/banana
, Vault
mounts it at /vault/secrets/apple
.
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-apple: "secrets/banana"
vault.hashicorp.com/role: "myapp"
You can apply this configuration:
- To a Pod with
kubectl edit pod/pod-name
. - To a Deployment with
kubectl edit deployment/deployment-name
.
What's next
- Read the Vault Injector documentation.
- Review the vault-k8s GitHub repository.