Integrating Azure Key Vault With AKS Cluster
I recently had the pleasure of presenting a webinar with Microsoft Reactor. It was on implementing Azure Key Vault (a centralized place to manage all of your highly sensitive information on Azure). In this webinar, I share a step-by-step demonstration of how to integrate your information with the AKS cluster.
The goal is to implement a solution that will allow an integration between Azure Key Vault, where I will store all my secrets; and my AKS, where I will use them. To accomplish this, I used CSI Driver. The secrets store allows Kubernetes to mount multiple secret keys and certificates stored in enterprise-grade external secrets stores into the pod as a volume.
With the pod volume attached, the data is mounted into the container’s file system. In order to implement this solution, our cluster must be able to communicate with the Key Vault on Azure. Typically, to enable applications to communicate with Azure cloud resources, we could use service principal or managed identities. In this instance, I used Azure Active Directory Pod Identity (AAD Pod).
How Azure Active Directory Identity Works
AAD Pod identity enables all of the Kubernetes applications access to cloud resources securely with the Azure Active Directory. An identity is represented in Kubernetes as an Azure identity (a custom resource definition or CRD on Kubernetes), with labels on the pods that are used to indicate the association to cloud identities. These associations are represented by Azure Identity Binding CRD and the Azure Assigned Identities are internal CIDs created when a match is found between bindings and the pod labels.
About Deploying the AAD Pod Identity
When deploying the AAD Pod Identity the following two components are deployed to the AKS cluster, according to Microsoft documentation. The first component is the Managed Control Cluster or MIC, a Kubernetes controller that watches for changes to pods, Azure identity, and Azure identity binding through the Kubernetes API server.
Like other controllers on Kubernetes, when the MIC detects a relevant change it adds or deletes, on-demand, and Azure Assigned Identity as needed. When a pod is scheduled the
MIC assigns the managed identity on Azure to the underlying virtual machine scale set VMSS used by the node pool during the creation phase.
When all the pods using the identity are deleted the MIC removes the identity from the VMSS of the node pool, unless the same managed identity is used by other ports.
The second component is the Node Managed Identity (NMI). The NMI is the pod that runs as a
diamond set on each node in our cluster. It intercepts security token requests to the Azure instance metadata service, redirects them to itself, validates pod access to the identity it’s requesting a token for, and fetches the token from the azure active directory tenant on behalf of the application.
Prepwork: Integrating Information Into AKS Cluster
For this demo, I created one resource group, with the second automatically created. The first is the “Webinar RG” which contains my AKS cluster as is named “Webinar AKS”, and an Azure Key Vault called “Webinar KV”.
The second resource group includes the Kubernetes infrastructure. This resource group contains the compute resources like the VMSS, the virtual machine scale set next to the load balancer, the virtual network itself, and the managed identity that will be used in the integration process.
I’ve also created a guideline for myself to combine the AAD Pod identity and the Key Vault . You can follow the AAD Pod Identity and Key Vault documentation shared in the webinar separately and arrive at the same result.
The Integration Process
Here’s an over of the integration steps. It’s important to follow these in order to successfully complete your integration.
Deploying the AAD Pod Identity
Begin by deploying the AAD Pod Identity to allow the cluster to communicate with Azure’s Key Vault. You’ll need to follow these steps:
- Add the Helm Repository
- Create a Managed Identity
- Deploy AzureIdentity Resource
- Deploy AzureIdentityBinding Resource
- Validate AAD Pod Identity is working
Integrate AKS Cluster With Azure Key Vault (CSI Driver)
To integrate AKS cluster with Azure Key Vault, follow these steps:
- Deploy the Azure Key Vault Provider for Secrets Store CSI Driver
- Create the Azure Key Vault and set secrets
- Create SecretProviderClass
- Create a Pod and mount all secrets to it
- To validate, once the Pod is started, you should see the new mounted content at the volume path specified in your deployment YAML.
Having followed these steps, you’ll successfully complete the integration and be more familiar with the process.
Watched the entire webinar but couldn’t spot the link to this resource on Github. Please add it to the blog, it will be something readers will want.