prakasun
Reputation: 183
fetching secret from external vault into kubernetes rancher Cluster
Our goal is to fetch the secret from Hashicorp Vault into kubernetes cluster so secret will be encrypted and we won't save any secret data on anywhere. Trying to use SecretProviderClass way and did the installation with Helm chart. Deploying all yaml like service account, role and rolebinding and deployment but getting below errors.
Below configuration:
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-test
namespace: test-quota
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-test
namespace: test-quota
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vault-test
subjects:
- kind: ServiceAccount
name: vault-test
namespace: test-quota
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vault-test
namespace: test-quota
rules:
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
apiVersion: apps/v1
kind: Deployment
metadata:
name: vault-test
namespace: test-quota
labels:
app: vault-test
spec:
replicas: 1
selector:
matchLabels:
app: vault-test
template:
metadata:
labels:
app: vault-test
spec:
serviceAccountName: vault-test
containers:
- name: vault-test
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh"]
args: ["-c", "while true; do sleep 300;done"]
env:
- name: admin
valueFrom:
secretKeyRef:
name: admin
key: admin
volumeMounts:
- name: vault-test
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: vault-test
csi:
driver: secrets-store.csi.x-k8s.io
readOnly: true
volumeAttributes:
secretproviderclass: vault-test
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vault-test
namespace: test-quota
spec:
provider: vault
secretObjects:
- secretName: vault-test
data:
- key: admin
objectName: admin
parameters:
vaultAddress: https://vault.dev.org
vaultNamespace: abc
vaultToken: xxxx
roleName: approle
objects: |
- objectName: admin
secretPath: kafka
secretKey: admin
Error log:
LAST SEEN TYPE REASON OBJECT MESSAGE
10s Normal Scheduled pod/vault-test-69f79f8b5-wrnjq Successfully assigned test-quota/vault-test-69f79f8b5-wrnjq to k8s05
3s Warning FailedMount pod/vault-test-69f79f8b5-wrnjq MountVolume.NewMounter initialization failed for volume "vault-test" : volume mode "Ephemeral" not supported by driver secrets-store.csi.x-k8s.io (no CSIDriver object)
4m29s Warning FailedMount pod/vault-test-69f79f8b5-xwblr MountVolume.NewMounter initialization failed for volume "vault-test" : volume mode "Ephemeral" not supported by driver secrets-store.csi.x-k8s.io (no CSIDriver object)
4m22s Warning FailedMount pod/vault-test-69f79f8b5-xwblr Unable to attach or mount volumes: unmounted volumes=[vault-test], unattached volumes=[vault-test kube-api-access-skfnn]: timed out waiting for the condition
10s Normal SuccessfulCreate replicaset/vault-test-69f79f8b5 Created pod: vault-test-69f79f8b5-wrnjq
10s Normal ScalingReplicaSet deployment/vault-test Scaled up replica set vault-test-69f79f8b5 to 1
Any leads will be apprecaited
Upvotes: 0
Views: 486
Answers (0)
Related Questions
- How to mount a volume with a windows container in kubernetes?
- Mount secrets volumes with CSI driver and vault provider in kubernetes when the pod has a toleration and affinity
- Airflow - KubernetesPodOperator - Role binding a service account
- kubernetes external secrets on GKE , Permission error
- Error while accessing Web UI Dashboard using RBAC