CODEWITHSUNDEEP
azurekubernetesazure-aks
Kaivalya Dambalkar
Kaivalya Dambalkar

Reputation: 123

How to access Azure Key Vault with Network Security Policy enables?

I have 2 Deployments are as follow:

  1. Orient DB Deployment.
  2. Web Service Deployment.

Initially, To access Orient DB, Web service fetch the Orient DB username and password which are stored in Azure Key Vault.

To provide extra security, I created a network security policy which only allows pods with namespaceSelector "application: production" and podSelector "application: production". The network security policy applied are as follows:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nmsp
  namespace: production
spec:
  podSelector:
    matchLabels:
      application: production
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          application: production
      podSelector:
        matchLabels:
          application: production
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          application: production
      podSelector:
        matchLabels:
          application: production

But, after applying network security policy the Web service is unable to connect with Orient DB because Web service is failed to get username and password from Azure key vault. It gives error,

Unhandled Rejection at: FetchError: request to https://in-keyvault-kv.vault.azure.net/secrets?api-version=7.1 failed, reason: getaddrinfo EAI_AGAIN in-aks-keyvault-kv.vault.azure.net
at ClientRequest. (/usr/src/app/node_modules/node-fetch/lib/index.js:1461:11)
at ClientRequest.emit (events.js:314:20)
at TLSSocket.socketErrorListener (_http_client.js:428:9)
at TLSSocket.emit (events.js:314:20)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21) {
type: 'system',
errno: 'EAI_AGAIN',
code: 'EAI_AGAIN'
}

SO how can I access this key vault for the username and password with network security policy enables? and connect with orient DB service?

If any one know please help me with this. Thank you.

Upvotes: 1

Views: 418

Answers (1)

Jean-Philippe Bond
Jean-Philippe Bond

Reputation: 10679

You can either add an egress rule that enable the port 443 (And IP Range of the Key Vault service if you want to restrict the traffic) or use a something like Azure Key Vault provider for Secret Store CSI driver to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.

Upvotes: 1

Related Questions