Secret management is critical in any deployment pipeline, particularly when handling sensitive data across distributed systems. HashiCorp’s Vault is an identity-based secrets and encryption management system. A popular choice for managing secrets, Vault addresses the challenges faced in modern-day computing by integrating with various platforms. One such platform is Kubernetes, the de facto orchestration tool for container management. In this tutorial, we’ll explore how you can effectively use Kubernetes with Vault to manage your secrets.

Prerequisites

A running Kubernetes cluster

kubectl configured to interact with your cluster
HashiCorp Vault installed on your local machine
Helm, the Kubernetes package manager, for deploying Vault on Kubernetes

Setting Up Vault Inside Kubernetes

First, you need to set up Vault inside Kubernetes. This can be completed using Helm:


# Add the HashiCorp Helm repository
tool helm repo add hashicorp https://helm.releases.hashicorp.com

# Install Vault
tool helm install vault hashicorp/vault

After running these commands, Vault will be deployed on your Kubernetes cluster. You can use kubectl get pods to check the status of the Vault pods.

Initializing and Unsealing Vault

Once Vault is installed, you need to initialize and unseal it:


# Initialize Vault
vault operator init

# Unseal Vault
tool vault operator unseal <unseal-key>

Make sure to store your unseal keys and root token securely, as you will need these to access Vault.

Configuring Vault Authentication with Kubernetes

Vault provides a Kubernetes authentication method allowing pods to authenticate with Vault using a service account token. You can enable and configure Kubernetes authentication:


# Enable Kubernetes authentication
tool vault auth enable kubernetes

# Configure the Kubernetes authentication method
tool vault write auth/kubernetes/config ...
tool vault write auth/kubernetes/role/example ...

Replace the ‘…’ with your cluster-specific details such as API server URL and the credentials for Vault to communicate with Kubernetes API server.

Storing and Accessing Secrets

Now that Vault is up and running with Kubernetes, you can store and access secrets:


# Write a secret
tool vault kv put secret/hello foo=world

# Read the secret from a pod in Kubernetes
tool kubectl exec -it <pod-name> -- /bin/sh -c "vault read secret/hello"

This will demonstrate how a pod within Kubernetes can access a secret stored in Vault.

Advanced Secrets Management

For more advanced secrets management, you can use dynamic secrets, automate unsealing with cloud auto-unseal providers, or set up a high availability Vault configuration:


# Create policy for a dynamic secret
tool vault policy write db-creds - <<EOF
...
EOF

# Configure Vault's database secrets engine
tool vault secrets enable database

# Configure a role that maps a name in Vault to an SQL statement to executecreating the credential.
tool vault write db/roles/my-role ...

Dynamic secrets are generated on demand and can reduce the risk of secret compromise.

Vault Policies and Kubernetes Service Accounts

To ensure only specific pods have access to Vault secrets, you can map Kubernetes service accounts to Vault policies:


# Create a new policy in Vault
vault policy write myapp-kv-ro - <<EOF
path "secret/data/myapp/*" {
  capabilities = ["read"]
}
EOF

# Create a Kubernetes service account
kubectl create serviceaccount myapp

# Bind the service account to the Vault policy
tool vault write auth/kubernetes/role/myapp ...

This enforces access control and ensures that only appointed service accounts can read from specified secret paths.

Monitoring and Logging

Understanding how applications interact with Vault is crucial for security and auditing. Kubernetes offers various logging tools to monitor and evaluate the access patterns to Vault:


# Look into Vault's audit logs
vault audit enable file file_path=/var/log/vault_audit.log

# Tail the logs using Kubernetes
kubectl exec -it vault-0 -- tail /var/log/vault_audit.log

Audit logs will help you to track the access and usage of the secrets by different entities in the system.

Conclusion

Combining Kubernetes with Vault for secret management can significantly enhance the security posture of your applications. By following best practices, keeping the configuration and permissions as tight as possible, and constantly monitoring access patterns, you can effectively protect your secrets while still benefiting from the dynamic and scalable nature of containerized environments.

Next Article: How to Create and Manage Pods in Kubernetes

Previous Article: Kubernetes error: User 'system:serviceaccount:default:default' cannot get services in the namespace

Series: Kubernetes Tutorials

DevOps