Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update AKS Cluster: Enable Workload Identities, Secrets Provider #16

Open
Lusengeri opened this issue Oct 8, 2024 · 0 comments
Open

Update AKS Cluster: Enable Workload Identities, Secrets Provider #16

Lusengeri opened this issue Oct 8, 2024 · 0 comments
Assignees
@Lusengeri
Labels
enhancement New feature or request

Comments

@Lusengeri
Copy link
Contributor

Update AKS Cluster: Enable Workload Identities, Secrets Provider

Overview

This issue proposes updating the AKS cluster to enable Azure AD workload identities and integrate the Azure Key Vault provider for Kubernetes secrets. This update would significantly improve the security and efficiency of managing secrets and credentials in our Kubernetes environment.

Key Benefits

  1. Enhanced Security:

    • Workload identities allow AKS pods to authenticate directly with Azure AD, removing the need for storing credentials in Azure DevOps Pipeline environments. Pods can now securely access Azure resources like Key Vault, without the overhead of managing secrets in pipelines.

  2. Eliminating Secret Management Overhead:

    • By using the Azure Key Vault provider, secrets stored in Key Vault can be automatically injected into Kubernetes pods. This reduces the risk associated with handling and rotating secrets, streamlining secret management in a secure, automated fashion.

  3. Better Alignment with Cloud-Native Best Practices:

    • Enabling workload identities aligns with cloud-native security best practices by using federated identity mechanisms. This eliminates the need for manual credential rotation and minimizes the risk of credential exposure in CI/CD Pipelines.

Detailed Features

  1. Workload Identities:

    • Pods authenticate with Azure AD using their own workload identities, replacing the older method of using managed service identity (MSI) tied to the entire AKS node.
    • Securely bind specific identities to specific workloads, improving the principle of least privilege and enhancing control over which resources a given workload can access.

  2. Azure Key Vault Provider:

    • Provides a seamless way for AKS workloads to access Key Vault secrets. The secrets provider automatically fetches and mounts secrets from Azure Key Vault into Kubernetes pods.
    • Supports rotation of secrets without needing to redeploy workloads, ensuring uninterrupted access to securely stored secrets.

Why This Update Is Needed

  • Operational Burden: Injecting secrets in CI/CD pipelines is not scalable for a multi-application, multi-cluster environment.
  • Future-Proofing: Azure AD workload identities are the recommended approach for accessing Azure resources in AKS clusters moving forward, as they provide better security and scalability compared to other methods.

Proposed Solution

  • Enable workload identities on the AKS cluster.
  • Configure the Azure Key Vault provider to allow workloads to automatically retrieve secrets.
  • Update Terraform or deployment scripts to manage the necessary Azure AD resources (workload identities and Key Vault access policies).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Lusengeri Lusengeri

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Lusengeri