带秘密替代品的 Kubernetes

Kubernetes with secrets alternative

有了 Kubernetes 集群,将 configurations/passwords 发送到容器的替代方法是什么?我知道秘密方式,但我正在寻找的是一个密码加密的集中式环境,而不是 base64 编码。

您应该尝试 Vault HashiCorp。

Vault 的主要特点是:

  • 安全秘密存储
  • 动态秘密
  • 数据加密
  • 租赁和续订
  • 撤销

这里是 example 使用 Vault + Kubernetes

你也可以考虑 Kamus:

An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications.

Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes.
The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES).
To learn more about Kamus, check out the blog post and slides.

helm repo add soluto https://charts.soluto.io
helm upgrade --install kamus soluto/kamus

Architecture: Kamus has 3 components:

  • Encrypt API
  • Decrypt API
  • Key Management System (KMS)

The encrypt and decrypt APIs handle encryption and decryption requests. The KMS is a wrapper for various cryptographic solutions. Currently supported:

  • AES - uses one key for all secrets
  • Azure KeyVault - creates one key per service account.
  • Google Cloud KMS - creates one key per service account.