ASCP

AWS Secrets ManagerAmazon Elastic Kubernetes Service에서 AWS Secrets Manager 보안 암호 사용 - AWS Secrets Manager

AWS Secrets ManagerSecretProviderClass - AWS Secrets Manager

ENV

export EKS_CLUSTER_NAME=skills-eks-cluster
export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
Shell
복사

Secrets Store CSI Driver Chart Add & Install

helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
Shell
복사

ASCP Chart Add & Install

helm repo add aws-secrets-manager https://aws.github.io/secrets-store-csi-driver-provider-aws
helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws
Shell
복사

Create Secret

aws --region ap-northeast-2 secretsmanager \
  create-secret --name secret_test \
  --secret-string '{"username":"foo", "password":"super-secret"}'
Shell
복사

SECRET_ARN=$(aws --region ap-northeast-2 secretsmanager \
    describe-secret --secret-id  secret_test \
    --query 'ARN' | sed -e 's/"//g' )
Shell
복사

echo $SECRET_ARN
Shell
복사

Create Policy

aws --region ap-northeast-2 iam \
	create-policy --query Policy.Arn \
    --output text --policy-name secret_policy \
    --policy-document '{
    "Version": "2012-10-17",
    "Statement": [ {
        "Effect": "Allow",
        "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
        "Resource": ["'"$SECRET_ARN"'" ]
    } ]
}'
Shell
복사

OIDC

eksctl utils associate-iam-oidc-provider \
    --region=ap-northeast-2 \
    --cluster=$EKS_CLUSTER_NAME \
    --approve
Shell
복사

IRSA

eksctl create iamserviceaccount \
    --region=ap-northeast-2 \
    --name "secret-deployment-sa"  \
    --cluster $EKS_CLUSTER_NAME \
    --attach-policy-arn arn:aws:iam::$ACCOUNT_ID:policy/secret_policy  \
    --override-existing-serviceaccounts \
    --approve
Shell
복사

SecretProviderClass

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: test-deployment-spc
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: "<SECRET_ARN>"
        objectType: "secretsmanager"
YAML
복사

kubectl apply -f SecretProviderClass.yaml
Shell
복사

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: secret-deployment-sa
      containers:
        - name: nginx-deployment
          image: nginx
          ports:
            - containerPort: 80
          volumeMounts:
            - name: secrets-store-inline
              mountPath: "/mnt/secrets"
              readOnly: true
      volumes:
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: test-deployment-spc
YAML
복사

kubectl apply -f deployment.yaml
Shell
복사

Result

export POD_NAME=$(kubectl get pods -l app=nginx -o jsonpath='{.items[].metadata.name}')
kubectl exec -it ${POD_NAME} -- cat /mnt/secrets/${SECRET_ARN}; echo
Shell
복사