All Products
Search

This Product

    Key Management Service:Integrate KMS secrets in ACK

    Document Center

    Key Management Service:Integrate KMS secrets in ACK

    Last Updated:Apr 11, 2024

    After you install the ack-secret-manager secret Kubernetes plug-in in Container Service for Kubernetes (ACK), you can configure secret names in the plug-in. The plug-in periodically reads the latest secret values from Key Management Service (KMS) and caches the values in your Kubernetes cluster. You can use dynamic secrets that are managed in KMS in the same manner that you use secrets in Kubernetes Secrets. This prevents the transmission and leak of sensitive data during application development and construction.

    Procedure

    1. Install the ack-secret-manager secret Kubernetes plug-in.

      • ACK cluster

        1. Log on to the ACK console and click ack-secret-manager on the Marketplace page.

        2. In the upper-right corner of the ack-secret-manager page, click Deploy.

        3. In the Deploy panel, set Cluster, retain the default values for Namespace and Release Name, and then click Next.

        4. In the Parameters step, configure the parameters and click OK.

          Parameter

          Description

          Example

          command.backend

          The backend of the external key management system. Only KMS is supported. Set the value to alicloud-kms.

          alicloud-kms

          command.region

          The region where you retrieve secrets.

          cn-hangzhou

          command.disablePolling

          Specifies whether to disable automatic synchronization of the latest secret values from KMS. Default value: false.

          false

          command.pollingInterval

          The interval at which existing secret values are synchronized from KMS.

          120s

          After you complete the configuration, you are redirected to the ack-secret-manager page. You can view the installation result on the page. If the resources shown in the following figure are created, the ack-secret-manager secret Kubernetes plug-in is installed.image.png

      • Self-managed Kubernetes cluster

        You can visit ack-secret-manager and install the ack-secret-manager secret Kubernetes plug-in.

    2. Create a secret in KMS.

      You can create secrets of all types. For more information, see Manage and use generic secrets, Manage and use RAM secrets, Manage and use ApsaraDB RDS secrets, or Manage and use ECS secrets.

    3. Specify the permissions to access KMS in the ack-secret-manager secret Kubernetes plug-in.

      • Access KMS by using a KMS endpoint

        This method is suitable for secrets in a KMS instance and for secrets created in the old version of KMS in which a KMS instance is not purchased.

        1. Create a custom policy in Resource Access Management (RAM) that can be used to access secrets. The following sample code provides an example of the policy content. You can specify the policy content based on your business requirements. For more information, see Use RAM to manage access to KMS resources. 

          {
    "Action": [
       "kms:GetSecretValue",
       "kms:Decrypt"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Allow"
}

        2. Authorize workloads or pods to access KMS.

          Method

          Attach the custom policy to the required worker role of your cluster

          1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

          2. Find the cluster that you want to manage and click Details in the Actions column.

          3. On the Cluster Resources tab, click the name of a RAM role named KubernetesWorkerRole-******. You are redirected to the page on which you can attach the custom policy to the role.

          Use the RAM Roles for Service Accounts (RRSA) feature to attach the custom policy by pod.

          1. Enable the RRSA feature.

          2. Use the RRSA feature.

            Create a RAM role for a service account, specify a trust policy for the RAM role, and then attach the custom policy to the RAM role.

      • Access KMS by using a KMS instance endpoint in the {kmsInstanceId}.cryptoservice.kms.aliyuncs.com format

        This method is suitable for secrets in a KMS instance. If you use a KMS instance to manage your secrets and want to access KMS only in your virtual private cloud (VPC), we recommend that you use this method. For more information, see Create an AAP.

        • Note

        Before you access KMS by using a KMS instance endpoint, bind the VPC of the workload or pod to the KMS instance. For more information, see Access a KMS instance from multiple VPCs in the same region.

    4. In the ack-secret-manager secret Kubernetes plug-in, specify the protocol, endpoint, client key, and secret name. For more information, see ack-secret-manager.

    What to do next

    To protect the secrets that are read from KMS and cached in the Kubernetes cluster, you can encrypt the secrets in Kubernetes Secrets. For more information, see Use KMS to encrypt Kubernetes Secrets at rest.

    Note

    You can also perform encryption to protect static secrets in the Kubernetes cluster. The static secrets are system secrets.

    References